There is a number worth sitting with for a moment.
49%.
That is the share of UK businesses that cannot handle a basic malware incident. Not a sophisticated nation-state attack. Not a zero-day exploit. Basic malware – the kind that has existed for decades, the kind that experienced security teams resolve before their morning coffee. Nearly half of UK businesses. Unable to manage the basics.
And yet the dominant conversation around cybersecurity in the UK tends to focus on something else entirely: cookie banners, compliance checklists, GDPR documentation. Forms. Not substance.
That gap – between the threat that exists and the response being built – is the real problem. And it is not getting smaller.
The structural problem nobody addresses
The public sector has roughly 50 to 60 times fewer cybersecurity professionals than the private sector. Government legal and legislative teams working on cyber policy are even smaller – sometimes a fraction of that.
This creates a predictable outcome: the institutions responsible for setting the rules are structurally unable to keep pace with the threats those rules are meant to address. Regulation arrives late, focuses on visible compliance markers, and rarely translates into meaningful protection.
Organisations are checked on whether their cookie banner is formatted correctly. They are not checked on whether the data collected through that banner is actually secure.The system is optimising for the audit. Not for the outcome.
Then AI changed the equation
The threat landscape was already difficult. Then it accelerated.
In 2025, over 90% of phishing emails were AI-generated. That figure sounds abstract until you understand what it means operationally: the era of spotting a phishing attempt by its broken grammar or generic greeting is over. These messages now know your name, your role, your organisation, your recent professional activity. They are personalised, convincing, and produced at scale.
Attackers have access to AI tools and are deploying them systematically. Defences – particularly among smaller organisations – have not kept pace. The gap is widening, and it is doing so faster than most businesses realise.
Geopolitics is now a cybersecurity variable
This is the part of the conversation that tends to get underestimated.
Russia has systematically targeted UK critical infrastructure in direct correlation with UK support for Ukraine. When Storm Shadow missiles were approved for transfer, the UK saw a significant surge in cyberattacks. The primary targets were not defence contractors or government ministries. They were the NHS. Transport networks. Public services.
Organisations that had no reason to consider themselves geopolitical targets – and were not prepared to be.
This is what changes the calculus on risk. The threat is not abstract or theoretical. It arrives in response to external events, it targets the least prepared, and it causes real disruption to real operations. Risk management can no longer be treated as an internal exercise disconnected from the broader environment.
The regulation paradox
2026 has brought a wave of new regulatory activity in the UK – the EI Act, DORA, updated GDPR frameworks. The intent is right. The execution raises questions.
More regulation does not automatically mean better protection. When the focus remains on documentation and visible compliance rather than operational security outcomes, organisations end up investing in processes that satisfy auditors rather than processes that reduce risk.
The UK sits at an interesting juncture – between the innovation-first approach of the US market and the regulatory density of the European Union. Neither extreme has delivered a model that fully works. The opportunity is to build something more effective than both. But that requires treating substance as the priority, not form.
What actually works
There is no single answer, and anyone who tells you otherwise is oversimplifying.
Real cybersecurity is a combination of controls – implemented correctly, for a specific environment, against specific threats. ISO 27001 applied generically will not protect you. A single software subscription will not protect you. Encryption without access controls will not protect you.
What works is a layered approach: the right tools, the right processes, the right oversight – tailored to the organisation, the sector, and the actual threat profile. That requires understanding both the regulatory environment and the operational reality of the business. It requires treating compliance not as a destination but as a framework that supports how the organisation actually functions.
The businesses that get this right tend to share one characteristic: they stopped treating cybersecurity as a cost centre and started treating it as a foundation for growth. Investors notice. Clients notice. The organisations that can demonstrate genuine security maturity have a competitive advantage that is increasingly difficult to replicate.
The risk is not the enemy. Ignorance is.
The most dangerous condition in cybersecurity is not a sophisticated attacker or a complex regulatory landscape. It is the gap between what an organisation believes about its own security posture and what is actually true.
Closing that gap – honestly, practically, without oversimplifying – is the most valuable thing any security or compliance professional can do.
Want to go deeper on this topic? We explored these issues in a full conversation with Mykola Kuzmin, researcher at the Henry Jackson Society and contributor to The Telegraph.
Watch the full episode here: https://youtu.be/45aIZZdGEG4?si=K21SNDubp3qvtPgt