British SMBs are glaringly unprotected – will the new Cyber Security and Resilience Bill be enough to raise the bar?

New cyber legislation in the UK will aim to shore up the resilience of critical national infrastructure, but experts think legislators will need a light touch to avoid over burdening smaller firms in public sector supply chains.

The Cyber Security and Resilience Bill , announced during the King’s Speech in July, promises to bolster the security of the UK’s critical national infrastructure and toughen up supply chains.

But questions remain around how the Bill will impact smaller private businesses, which make up the vast majority of UK industry and underpin many of the supply chains that are vital to critical infrastructure organizations.

Speaking to ITPro, Stephen McPartland, author of the McPartland Review into Cyber Security and former national security minister, said the Bill is promising but could lack the scope required to have a significant positive impact on broader national security.

McPartland noted that SMBs often lack even the most basic cyber protections, despite playing an integral role in national supply chains.

“The Bill sounds like fantastic news, but it is very narrow and really focused on critical national infrastructure rather than the wider UK economy ,” he said.

“We know that most SMBs have no real cyber security in place and many do not even have basic cyber hygiene , which is worrying as they account for 99% of all businesses in the UK and a key part of economic resilience in supply chains. It is why the previous Government asked me to undertake the McPartland Review into Cyber Security.”

McPartland added that the review he conducted of the nation’s security posture revealed how the UK’s economic welfare rests on ensuring SMBs are as resilient as possible to potential cyber threats.

“The review found that Cyber security can be an enabler of economic growth; a source of competitive advantage and a driver of economic and social value in a rapidly changing world that makes the UK a technology superpower. Our insurance , legal services, and financial services sectors are world leading and cyber security can be the fourth pillar to stand alongside these markets in making the UK the safest place in the world to do business.”

Public sector supply chains rely on resilience of SMBs

Although the Bill doesn’t include any measures specifically aimed at boosting cyber resilience in under-resourced organizations , due to their role often underpinning supply chains for larger public sector organizations, experts expect the legislation will promote a general improvement in cyber resilience across the board.

Jonathan Lee, public sector lead at Trend Micro , told ITPro the regulations need to take into account the fact that these organizations often have far fewer resources to spend on compliance, however.

“Many SMBs are part of the complex supply chain that supports public services. Therefore, the security of the data that they hold, and the uptime of their services is crucial. Regulations must be proportionately applied to these organizations too, but their obligations and actions need to be communicated in a way that is easy to digest,” he noted.

“Some smaller organizations will likely need to consult specialist third parties for assistance due to the cybersecurity skills gaps that we have in the country.”

Focus more on your core business and less on security

Ben Hutchinson, associate principal consultant at the Synopsys Software Integrity Group, agreed that the pressure from new regulations will go some way in driving additional effort to shore up defenses.

“I think we have seen that regulatory pressure does work as a lever to raise the bar when it comes to security and risk management practices,” he argued.

“Given the increase in recent years of ransomware and cyber-attacks, particularly against public services and supply chains, anything that drives additional effort in this direction and investment by businesses and service providers into cyber risk defense, mitigation and recovery mechanisms is a good thing.”

Hutchinson suggested the Bill could introduce lighter burdens on these organizations to avoid placing overly demanding obligations on smaller firms .

“Of course, small businesses (as well as larger ones) can struggle with under resourcing in the event of additional compliance burdens however it wouldn’t be too uncommon to see additional support or lighter weight reporting expectations for SMB/SME organizations to be incorporated into the eventual compliance approach, although we may have to see how this develops.”