Archives for 2025

Some of the biggest myths about hacking have been challenged in a new open letter from leading cyber experts. 

The letter, signed by a group of current and former Chief Information Security Officers (CISOs), security leaders, and practitioners, aims to correct common misconceptions about everyday digital risks facing people and small businesses. Meanwhile, it highlights the practical steps that actually can make a difference to device security.

As the national body for cyber clusters, the UKC3 is working with regional ecosystems, government and industry to turn evidence-based advice into accessible guidance, workshops and support for SMEs across the UK.

The open letter is led by Bob Lord, former security chief for Yahoo, Twitter and the Democratic National Committee, who says he has long been frustrated by what he terms ‘hacklore’ – scary-sounding security tips that persist through repetition, even when evidence does not back them up.

He has launched hacklore.org to challenge this kind of cybersecurity folklore, arguing that it distracts people from the simple, proven steps that genuinely cut everyday cyber risk.

Top of the myth list is the idea that you should always avoid public wifi. While a recent report from Google warned that public networks are easily exploited, the experts point out that large-scale attacks via public wifi are now very rare. 

Modern apps and services typically use strong encryption, and today’s operating systems and browsers warn users when connections are unsafe. 

The letter makes similar points about QR codes, Bluetooth and contactless functions, noting there is no evidence of widespread crime caused by QR-code scanning itself, and that real-world wireless exploits are extremely rare and usually require specialist equipment, physical proximity, and unpatched devices.

The experts also push back on some long-standing ‘best practice’ tips. Frequently changing passwords, for example, can encourage people to choose weaker options and reuse them across accounts – both of which increase risk rather than reduce it. 

Other familiar warnings, such as never using public USB charging points, always turning off Bluetooth and NFC, or constantly clearing cookies, are also labelled as distractions from higher-impact protections.

Instead, the experts recommend focusing on a small set of proven measures: keeping devices and apps up to date, turning on multi-factor authentication for sensitive accounts, and moving towards passkeys – a newer sign-in method designed to replace passwords. 

They also stress the value of using a reputable password manager to generate strong, unique passwords where needed and to store passkeys securely.

UKC3 co-chair Dr Ismini Vasileiou said: “It’s easy to be overwhelmed by alarming headlines and mixed messages, but most people don’t need to be afraid of everyday tools like public wifi or QR codes. 

“What really counts is getting the basics right – keeping devices up to date, switching on multi-factor authentication, and using strong, unique login details. If more individuals and small businesses focused on those simple actions, we’d see a much bigger increase in real-world cyber resilience.

“Alongside this, the programmes and events delivered by our clusters are specifically designed to help organisations of all sizes reduce risk and build resilience. By taking part, leaders can access practical support, ask questions in a safe space, and leave with clear, realistic next steps to strengthen their defences.”

UKC3 has welcomed a new Ministerial letter urging small businesses to take cyber security more seriously in the wake of high-profile attacks on major UK companies. 

The letter, signed by Liz Lloyd CBE, Minister for Digital Economy, warns that hostile cyber activity is becoming ‘more intense, frequent and sophisticated’ – and that organisations of every size are now potential targets.

Recent incidents at companies including Marks & Spencer and Jaguar Land Rover underline the scale of the risk, with the JLR attack in August contributing to a 24% year-on-year revenue drop in its second quarter after production was halted for around five weeks. 

The letter, co-signed by Richard Horne, CEO of the National Cyber Security Centre (NCSC) and Blair McDougall, the Small Business Minister, highlights that half of UK small businesses have reported a cyber attack in the past 12 months, while 35% of micro businesses have experienced phishing attacks.

To help firms ‘stay resilient in the face of evolving threats’, ministers are directing SMEs to the free Cyber Action Toolkit. 

This online resource from the National Cyber Security Centre (NCSC) offers a simple, step-by-step way for organisations to strengthen their defences against email compromise, data breaches and ransomware, with personalised guidance and progress tracking. 

The letter also encourages businesses to work towards Cyber Essentials, the UK’s recognised minimum cyber security standard, which demonstrates protection against the most common attacks.

UKC3 co-chair, Dr Ismini Vasileiou, said: “This letter is a clear reminder that cyber risk is a board-level issue for every organisation, not just large enterprises. 

“Small businesses are deeply woven into national supply chains and local economies, so when they are hit, the impact ripples far beyond a single company. 

“Practical tools like the Cyber Action Toolkit and schemes such as Cyber Essentials give SMEs a realistic, affordable way to start improving their resilience today – and UKC3’s cluster network stands ready to help them turn that guidance into action on the ground.”

Newly-released figures have revealed the impact of the cyber attack on Jaguar Land Rover.

The incident, which hit Jaguar Land Rover’s computer systems in September, forced the company to halt car production for nearly six weeks. The shutdown had repercussions throughout supply chains and was blamed for a slowdown in the UK’s overall economic growth that month. 

During the three months to the end of September, the UK’s largest car manufacturer’s revenue fell 24% year-on-year to £4.9 billion. Meanwhile, the company posted a loss of £485 million – compared to a £398 million profit the previous year. 

The cyber incident alone cost Jaguar Land Rover £196 million, mostly in emergency IT support and recovery costs. 

The Government last month warned that hostile cyber activity in the UK is becoming more frequent and complex, making it vital for all businesses to take their digital defences seriously.

The situation highlights just how damaging cyber attacks can be for businesses of any size and UKC3 continues to urge business owners to take up training and networking opportunities available nationwide through UKC3 regional clusters. Local networks run events which help organisations build resilience and respond to ever more sophisticated cyber threats.

Dr Ismini Vasileiou, UKC3 co-chair and Cyber Skills lead, said: “Events like the JLR cyber attack demonstrate the real-world impact digital threats can have on business operations, finances, and even jobs across whole industries. 

“Building networks through UKC3 clusters around the regions and nations means learning more about what is available in terms of practical workshops, expert mentoring, and tailored support to help organisations strengthen their cyber governance and resilience. 

“Upskilling your workforce and connecting within our wider cyber community means your business isn’t facing these risks alone.”

A new Bill introduced to Parliament aims to better protect essential UK services against cyber attack.

UKC3 has welcomed the introduction of the Cyber Security and Resilience Bill, which aims to strengthen national security and protect growth by boosting cyber protection for services that people and businesses rely on every day. 

In the face of increasing cyber threats, the Bill aims to prevent disruption within healthcare, water, transport, and energy – keeping the taps running, the lights on and the UK’s transport services moving.  

Recent cyber attacks on managed service providers (MSPs) have highlighted the need for updated legislation. Last year, hackers accessed the Ministry of Defence’s payroll system via a managed service provider.

Meanwhile, other recent attacks – such as the Synnovis incident in the NHS – resulted in more than 11,000 disrupted medical appointments and procedures and some estimates suggesting costs of £32.7 million.

UKC3 Co-chair Simon Newman said: “This Bill is important for the UK’s cyber sector. 

“By focusing on the resilience of essential services, Parliament is recognising not just the importance of effective cyber defences, but also the urgent need to help businesses, councils and community organisations withstand and recover from attacks. 

“We support legislation that empowers the sector, and the country, to raise the bar for digital safety and continuity.”

This legislation builds on the momentum created by the recent publication of the Cyber Governance Code of Practice, which provides a clear framework for organisations to manage their digital risk. 

The UK Government recently published the Cyber Governance Code of Practice, giving organisations simple rules to manage digital risk. The new Bill means more services – including shops, hospitals, and councils – will need to improve their cyber security, raising standards for thousands of organisations in the long run.

It follows a recent letter from government ministers including the Technology Secretary, Chancellor and Business Secretary to business leaders and FTSE 350 firms, urging them to strengthen their cyber defences to face down the growing range of threats targeting the UK’s leading organisations.  

Science, Innovation, and Technology Secretary, Liz Kendall MP, said: “Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.

“We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”

Momentum continues to build behind recommendations made in a recent cyber security skills White Paper. 

Cyber Workforce of the Future: Why the UK Needs a Skills Taxonomy Now was officially launched during a special event in Westminster this week. 

Led by Dr Ismini Vasileiou and attended by Dan Aldridge MP, Chair, APPG for Cyber Innovation, the event brought together government, industry, and academia for a round table discussion at Portcullis House. 

Groups including EMCSC, De Montfort University Leicester, DSIT, techUK, the UK Cyber Security Council, NCSC, and UKC3 discussed next steps on how to address barriers and challenges within the industry identified in the White Paper. 

Issues discussed by the group included workforce fragmentation, scarcity of entry-level roles, lack of engagement with larger employers and companies, capacity issues within SMEs and smaller firms and government-led implementation. 

Delegates acknowledged that while the UK Cyber Security Council currently leads the work on establishing a Professional Register for Cyber Practitioners, progress has been hampered by limited sector engagement and a lack of sustained government backing since the end of the Council’s initial funding. 

All around the table agreed that a credible, widely supported register remains essential to professionalising the workforce, recognising skills, and strengthening accountability across the sector.

Dr Vasileiou is Co-Chair at the UK Cyber Cluster Collaboration (UKC3), East Midlands Cyber Security Council founder, and Associate Professor and author of the White Paper. 

She said: “It was encouraging to have an open and honest conversation not just around the issues within the industry but also around barriers to addressing them. 

“Collaboration is key and so to lead the conversation around that and hear industry leaders from a range of sectors agree on a route forward feels like real progress. 

“Capitalising on the current relevance of cyber security and seizing opportunity were other things we all agreed on and with the backing of Dan Aldridge MP and the APPG I’m excited to see what we can achieve together.”

Dan Aldridge MP, Chair, APPG for Cyber Innovation, added: “We need to embark on a national mission when it comes to cyber security.

“Threat proliferation is a real issue and the general public do not always understand the threat proliferation that we have. 

“This paper, and discussions we have had today, feed into what needs to happen next to bolster cyber security for everyone. 

“There’s an opportunity over the next 12 months to raise the game, get other MPs involved and make cyber security part of the national conversation.”

The White Paper, published earlier this year, recommends that Government should:

1. Establish a DSIT-led taskforce to co-create a UK Cyber Skills Taxonomy
2. Establish a national delivery body to govern the taxonomy
3. Incentivise employer adoption of standardised, skills-based recruitment
4. Align education and career pathways to real-world cyber roles
5. Scale regional skills alignment through a National Implementation Framework.

The Good Business Charter (GBC) has been working with the Department for Science, Innovation and Technology (DSIT), and business accreditation bodies in order to make cyber security a formal part of best practice standards for its members.

It this week announced that it has added specific reference to cyber security within its accreditation framework. The new requirement sits within the accreditation’s eighth of 10 components of the framework, Commitment to Customers, and recognises the importance of protecting personal data of all stakeholders, including employees and suppliers.

The move comes soon after Ministers wrote to UK business leaders, encouraging them to take action to build their cyber resilience. As awareness of cyber risks grows and attacks become more sophisticated, it is essential business owners recognise that protecting stakeholders’ data is as essential as protecting their products, reputation, or finances.

UKC3 Director and Ecosystem Development Lead, Ben Shorrock, welcomed GBC’s decision, adding: “Improving cyber security skills is key for small businesses and the GBC making it a universal business standard marks another step forward.

“The benefit is clear: protecting data is no longer just a technical consideration – it’s central to building trust with customers, partners, and the wider supply chain. This is why the UKC3 network champions the sharing of best practice, through both seeding and nurturing new clusters, and acting as a national voice for established clusters’ excellence in cybersecurity.”

The updated GBC standard puts protection of personal data front and centre – not just for customers, but also for employees, suppliers, and anyone else connected to the member’s business.

The new requirement will be phased in over coming months. Current accredited organisations coming up for renewal within the next six months will have a grace period to update their practices in line with the new standards. However, new applicants seeking Good Business Charter accreditation must commit to these cyber security measures immediately.

Member businesses are also being encouraged to access the free resources that the government has to help businesses, including Cyber Essentials and the Cyber Governance Code of Practice. 

The CEO of the Good Business Charter, Jenny Herrera, said: “The specific reference to cyber security adds strength to the accreditation – it was always implied within components that set out an organisation’s commitment to their customers and to their other stakeholders, but in spelling out the need to develop a positive cyber security culture we ensure the Good Business Charter remains relevant and comprehensive.”

Cyber Security Minister, Liz Lloyd, said: “Every firm now runs on digital systems, from payroll and payment readers to logistics. That dependence brings everyday exposure to cyber threats, and when those systems are hit, business stops. 

“Making cyber security part of the Good Business Charter is a welcome move and demonstrates the importance of managing cyber risk – which is a key element of responsible business behaviour.”

The GBC was developed by entrepreneur, Julian Richer, in collaboration with the Confederation of British Industry (CBI) and the Trades Union Congress (TUC) and is the responsible business benchmark for more than 1,000 organisations of all sizes. The ten components of its framework cover care for employees, suppliers, customers and the planet, as well as paying a fair share of UK tax.