Some companies see cybersecurity as a cost center. We see things a little different. LEARN MORE >
Experiencing a Breach?
BLOG
The UK's New Cyber Plan Is a Step Forward—But It’s Already Late to the Party
JUMP TO: WHY IT'S LATE | WHAT TO DO NOW | BUILD VS BUY | COMMERCIAL ASPECT | BOTTOM LINE
The United Kingdom just announced a sweeping cyber action plan designed to fortify public services against increasingly sophisticated threats. On paper, it's exactly what the country needs: new measures to secure everything from benefits applications to healthcare portals, making critical online services more resilient for millions of users.
There's just one problem. It should have happened months ago.
"It's a big pivot from previous priorities and frankly it’s overdue," said Inversion6 CISO Ian Thornton-Trump. "In my opinion, the threat has not been higher to national critical infrastructure in recent memory.”
The harsh reality? By the time these investments bear fruit, the UK may have already weathered significant cyber incidents. Cybersecurity improvements don't happen overnight—they require planning, implementation, testing and refinement. That's a multi-year journey, and the threat actors aren't waiting around.
"Investment now can often take years to come to fruition," Trump said. "The result? Highly likely we suffer some adverse cyber-attacks before any tangible improvement manifests."
What Organizations Can Do Right Now
Here's the good news: UK organizations don't have to wait for government initiatives to trickle down. There's a proven playbook available today that can dramatically improve your security posture in the near term.
Trump outlined a two-step approach that any organization can start immediately. First, conduct a Cyber Security Essentials (CSE) audit to understand exactly where you stand—especially if you already suspect vulnerabilities lurking in your environment. Second, develop a solid RFP to bring in a third-party managed security service provider, like Inversion6, who can close those critical gaps fast.
This isn't theoretical advice. The UK already has an established cybersecurity control standard, and the numbers speak for themselves.
"The UK has had a de facto cyber security control standard for some time now and it has had a measurable impact," Trump said, adding that organizations implementing CSE also receive £25,000 in free cyber insurance—a tangible incentive on top of the security benefits.
The Cyber Security Essentials framework, backed by the National Cyber Security Centre, has proven remarkably effective at preventing opportunistic attacks—the kind that exploit basic security gaps and account for most successful breaches.
"If Cyber Security Essentials is implemented, it's highly unlikely a 'low hanging fruit' cyber attack will be successful," Trump said. "That's not just me saying that. That's the science and NCSC numbers."
The Build vs. Buy Decision (Hint: Time Matters)
So, you're committed to achieving CSE certification. Great. Now comes the critical decision: do you build internal security capabilities or partner with a commercial MSSP?
The answer often comes down to how much time you have—and given the current threat landscape Trump describes, time is not on your side.
"If the organization is committed to achieving CSE, then they either need to find the resources in the commercial cyber security sector or build them internally," Trump said. "Building takes more time than onboarding an MSSP. Takes way more time."
That time gap could be the difference between preventing an attack and explaining to stakeholders why your critical infrastructure went dark.
The Commercial Aspect
In the UK, supply chain partners, vendors and customers are asking for proof of CSE, or even the CSE+, a 3rd party audited version of the same standard.
“I think it comes down to this,” said Trump. “If two equally qualified companies are competing for business, or government work, the one with CSE or CSE+ is going to win that business. Folks are looking for some assurance the basic cyber security controls are in place.”
The Bottom Line
The UK government's new cyber action plan is a welcome development, even if it's arriving later than ideal. But organizations can't afford to wait for government programs to mature. The tools, frameworks and expertise needed to significantly improve your security posture exist today—and the threats certainly aren't waiting for bureaucracy to catch up.
