CyberUK 2025: Securing the Future by Building Resilience Today

CyberUK 2025 was a wake-up call and a rallying cry. Held in Manchester, this year’s conference cut through the hype to confront the raw, inconvenient truths about cyber resilience. The threats are escalating. The basics are still being missed. And while tools keep evolving, culture, leadership and collaboration remain the most decisive factors. 

This wasn’t a conference for spectators. It was a blueprint for survival.

The Cyber Landscape: Chaos Is the Constant 

Richard Horne, CEO of the National Cyber Security Centre (NCSC), opened with a clear directive: control the controllables. In a world where threats mutate by the hour, reactive firefighting is no longer a viable strategy. Cyber isn’t a finite problem – it’s an infinite contest. 

He outlined three priorities: 

1. Strengthen collective defence through sharing, defending and acting at scale. 

1. Lead on advanced threats with actionable intelligence, both military and criminal. 

1. Respond globally, coordinating with allies to disrupt cross-border attacks. 

This wasn’t just rhetoric. These themes echoed across keynotes, panels and breakout sessions: we must shift from chasing threats to shaping our posture. That means building resilience into every layer of our systems, supply chains and strategies. 

Still Failing at the Fundamentals 

A striking moment came when a panel of top experts was asked if we’re getting the basics right. The answer was a unanimous “No.” 

From BAE Systems to DSIT to the Australian Signals Directorate, leaders pointed to basic hygiene failures – unpatched systems, missing logs, unreviewed alerts – as the root of too many breaches. These aren’t zero-day attacks or nation-state exploits. They’re routine mistakes with catastrophic impact. 

Rod Leam (DSIT) noted that many impactful attacks today are “low sophistication, high impact”—avoidable with standard protections. 

Cyber Essentials, the UK’s foundational security framework, came up repeatedly. One firm reported an 80% drop in attacks after requiring certification across their supply chain. BAE Systems’ CISO described it as “a licence to operate,” having reduced vulnerabilities by 8x. Still, John Edwards (ICO) reminded us: “Cyber Essentials is a floor, not a ceiling.” 

Recovery is Brutal—and Often Underestimated 

Sir Ciarán Devane’s account of the 2021 ransomware attack on Ireland’s Health Service Executive (HSE) was stark. Even with backups and a decryption key (acquired without ransom), full recovery took years. “But don’t we have backups?” became the misguided refrain. 

Ffion Flockhart explained why: attackers now target backups early, and many organisations don’t simulate total system failure. Real preparedness means running “zero IT” scenarios, involving non-technical teams, and testing how operations survive without digital support. 

Annual tabletop exercises? Not enough. Cyber resilience isn’t about checking a box – it’s about pressure-testing your entire organisation. 

AI: Force Multiplier and Threat Vector 

Artificial intelligence was everywhere at CyberUK 2025 – for good and ill. AI is transforming both offensive and defensive cyber operations. 

On the dark side: autonomous malware, phishing bots, machine-learning evasion, deepfakes and generative content engineered for social manipulation. These are already in the wild. 

On the defensive front, AI-driven detection, real-time threat modelling and automation are proving essential. But the key is using AI proactively, not just reactively. 

If attackers use AI to scale threats, defenders must use it to outpace them. Waiting isn’t an option. 

Supply Chain: The Hidden Battlefield 

The complexity of modern supply chains has created a sprawling attack surface. Threat actors know it and they exploit it relentlessly. From SolarWinds to MOVEit, third-party compromise is often the entry point. 

CyberUK speakers advocated for a new approach: 

• Standardise requirements, rather than create a maze of custom demands. 

• Hold suppliers accountable – cyber is part of the contract. 

• Push for transparency, like the NCSC’s goal of “food label” standards for software vendors. 

The call was clear: supply chain security must be easier, not harder. Simplified controls, aligned expectations and shared responsibility are key to raising the bar. 

Public-Private Synergy: The Path Forward 

Across multiple panels, the tension between regulation and innovation surfaced. Government sets the rules, but the private sector drives the tools. To win in today’s threat landscape, they need to work in lockstep. 

Speakers from the UK Cabinet Office, Microsoft and the Canadian Centre for Cyber Security explored what effective government leadership looks like. It’s not just mandates and frameworks—it’s walking the walk: investing in public sector resilience, coordinating intelligence sharing and enforcing cyber standards through meaningful deterrents like sanctions and penalties. 

Canada’s ROI-focused approach stood out. “Can we demonstrate reduced attacks with MFA at scale?” asked one panelist. If we can’t measure what’s working, we’re not really managing risk—we’re guessing. 

Beyond Borders: Cyber Diplomacy in Action 

International collaboration took center stage. Representatives from the UK, Germany, Singapore and Japan discussed how national security committees are evolving – from reactive firefighting to proactive resilience-building. 

Streamlined reporting, shared threat intelligence and interoperable regulations were recurring themes. When attackers move globally, defenders must too. 

Pat McFadden, Minister for Cyber, tied cyber resilience to economic growth. The UK is now the world’s third-largest cyber exporter. Strengthening national security is no longer a cost center – it’s a business strategy. 

He also affirmed UK support for Ukraine’s cyber defence efforts and Moldova’s election protection, highlighting the strategic role of cyber in defending democracy. 

Operational Technology: The Next Frontier 

One session that resonated strongly was the focus on OT (Operational Technology) security. These are the systems that run critical infrastructure – power grids, transport networks and manufacturing plants. 

Key insight: OT security isn’t just about firewalls. It’s about embedding cyber into engineering design – ensuring systems don’t just fail safely, but survive targeted attacks. 

With state-sponsored threats targeting energy, water, and healthcare systems, OT security is no longer theoretical. It’s an urgent, national-level priority. 

A Culture Shift, Not Just a Tech Shift 

Perhaps the biggest takeaway: cyber resilience isn’t about having the best tools, it’s about having the right mindset. 

• Certs like ISO 27001 and Cyber Essentials are helpful, but culture eats certification for breakfast. 

• Visibility matters. If your exec team doesn’t know what’s really in the infrastructure or thinks everything is backed up when it isn’t, that’s a blind spot waiting to be exploited. 

• Real resilience comes from integration, not isolation between teams, partners and nations. 

Cyber security is now a team sport, and solo players will lose. 

Conclusions: What CyberUK 2025 Made Crystal Clear 

• Resilience is the mission. Stop aiming for perfection. Plan for chaos. Build systems and cultures that can take a hit and keep going. 

• Get the basics right. Know your Data! Patching, MFA, logging, backups – these are the difference between a close call and a catastrophe. 

• Test everything. Assume zero IT. Run real-world simulations. Involve everyone, not just IT. 

• Use AI before it’s used against you (once you get the basics!). Don’t wait until attackers weaponise it better than you can defend. 

• Demand supply chain security. Simplify. Standardise. Hold partners accountable. 

• Lead from the top. Boards must treat cyber risk like financial risk. It’s a business issue, not just an IT concern. 

• Collaborate or collapse. Government, business and international allies must share threat intel and strategy. 

• Measure what matters. If you can’t prove your resilience works, you’re guessing not securing. 

Bottom line: The threats are real. The tools are here. The gap is leadership, coordination and execution. CyberUK 2025 didn’t just warn us… it handed us the playbook.