The Government Finally Said It Out Loud: CyberUK 2026 and What It Actually Means for Your Business
On Tuesday, a government minister stood at a podium in Glasgow and said something I have been saying on this show for two years. The cyber frontline is already here.
Nice of them to catch up.
CyberUK 2026 happened on 22nd April. Security Minister Dan Jarvis. NCSC CEO Richard Horne. A conference hall full of government, industry, and intelligence community. Two of our team, Mauven MacLeod and Graham Falkner, were in the room. What they saw, what they heard in the corridors after the speeches, and what it means for your business is what this episode is about. And some of it should worry you more than the headline figures suggest.
The Numbers That Actually Matter
The headline from Tuesday was £90 million invested in cyber resilience over three years, including support for small and medium businesses, delivered through existing DSIT and NCSC programmes.
Now I am going to do something the press releases did not do. I am going to do the maths.
The UK has approximately 5.6 million small and medium businesses. If you split £90 million equally across all of them over three years, every business gets roughly £5.35 per year.
That is less than a round of coffee. Less than a month of Spotify. Less than the cheapest Cyber Essentials self-assessment on the market.
I am not trashing the announcement. At programme level, this money matters. It goes into the infrastructure behind Cyber Essentials, the Early Warning service, the tooling that supports the certification process. Cyber Essentials quarterly certifications passed 10,000 for the first time recently. Uptake was up around 20% in the last financial year. That growth needs funding behind it.
But the corridor conversations at the conference were more honest than the stage. The people involved in designing these programmes know this is not money arriving at any individual business’s desk. If you are sitting there thinking a cheque is heading your way, stop. It is not.
Jonathan Lee from TrendAI put it well at the conference: the government needs to move from gently encouraging organisations into providing real incentives. Tax credits. Structural motivation. Not more guidance.
The honest summary: the money is real. It will improve the programmes you benefit from indirectly. It will not fix your security. That part is on you. And if anyone tells you £90 million means the government has got your back, ask them to do the division.
The Cyber Resilience Pledge: Where It Gets Real
This is the part that actually changes things for your business. Everything above is context. This is consequence.
The government is launching a voluntary Cyber Resilience Pledge this summer. Large organisations that sign up publicly commit to three things:
One: Making cybersecurity a board-level responsibility by implementing the Cyber Governance Code of Practice and completing NCSC Cyber Governance Training at board level.
Two: Signing up to the NCSC’s free Early Warning service within one month of signing the Pledge.
Three: Requiring Cyber Essentials certification across their supply chains.
That third one. That is the one you need to hear.
Think about this personally for a second. Who are your top five customers by revenue? Which contracts, if you lost them, would genuinely hurt? If any of those customers are large enough to be approached about the Pledge, and they sign it, they become obligated to require Cyber Essentials from their suppliers. Not as a polite suggestion. As a public commitment with their name on it, listed on a government website.
Cyber Security Minister Baroness Lloyd has already written to over 180 UK CEOs and chairs encouraging sign-up ahead of the formal launch. Companies that sign get publicly listed as exemplars of good practice. That is the reputational engine driving uptake. And the operational consequence flows downstream. To their suppliers. To you.
The uncomfortable truth: the Pledge is voluntary for them. But your customer’s decision to sign is not your decision. You do not get a vote. You get a requirement.
Certification takes four to six weeks start to finish. Start now and you are done before the Pledge launches this summer. Wait for the email from your client’s procurement team and you are already behind. And the client already has doubts about you.
AI at Machine Speed: Real Threat, Wrong Response
Now the part of the conference that every security vendor is going to use to sell you something you do not need.
During his address, Jarvis stated that the UK cannot fight a machine-speed threat with human-speed bureaucracy. He was referring to the accelerating role of artificial intelligence in both offensive and defensive cyber operations.
On 7th April 2026, Anthropic announced Claude Mythos Preview. During controlled testing, it autonomously identified thousands of zero-day vulnerabilities across every major operating system and web browser, many of which had remained undetected for decades despite continuous human review.
Three findings illustrate the capability. A 27-year-old denial-of-service vulnerability in OpenBSD’s TCP implementation. A 16-year-old flaw in FFmpeg’s H.264 codec, introduced in a 2003 commit and missed by every subsequent review. And a 17-year-old remote code execution vulnerability in FreeBSD’s NFS server, granting unauthenticated root access, identified and fully exploited by the model without human involvement.
The DSIT AI Security Institute assessed this as a significant capability leap in offensive cyber operations. They estimate frontier AI capability is now doubling every four months. Six months ago, the estimate was every eight months.
Anthropic chose not to release Mythos publicly. Instead, they created Project Glasswing, a consortium including AWS, Apple, Google, JPMorganChase, Microsoft, and Nvidia, to let defenders begin patching the most critical systems first.
The threat is real. Genuinely real. But I want to be clear about something. The response for a business your size is not a six-figure AI security platform. The response is a conversation with your IT provider.
Ask them one direct question: “What is your plan for protecting us against attacks that move at machine speed?” If they look blank, that is your answer. And it is time for a conversation about whether they are the right provider.
Within a week of this announcement, every security vendor with a marketing department is going to tell you that you need their AI-powered security solution. That is vendor fear-mongering. It is exactly the kind of thing we exist to call out.
Your IT provider needs to be patching faster, monitoring more actively, and thinking about how they respond to threats that do not move at human speed any more. That is a conversation. Not a purchase order. Do not let a vendor convince you otherwise.
The Voluntary Problem
I have given the government credit where it is due. They said the right things. The direction is correct. Now let me be honest about the weakness.
The Pledge is voluntary. There is no penalty for not signing. No enforcement mechanism. The organisations most likely to sign are the ones already taking cyber seriously. The ones that most need to sign, where cyber is still a cost to minimise and a box to tick at audit time, will not sign. Not this summer. Probably not next year either.
Voluntary schemes attract the willing. The unwilling carry on.
The National Cyber Action Plan is due this summer. That is the document that determines whether Tuesday’s announcements become the start of something with real teeth, or remain what I would call compliance theatre dressed in ministerial language.
What would make it real? Mandatory incident reporting. Legislative enforcement through the Cyber Security and Resilience Bill. Structural financial incentives for SMB certification. Tax credits. Insurance premium reductions. Something that creates a genuine cost for inaction, not just a gentle encouragement to do the right thing.
I will cover the Action Plan in detail when it drops. And I will not pull punches on it.
How to Turn This Into a Competitive Advantage
Here is the thing nobody at CyberUK said out loud: the Pledge creates a market opportunity for businesses that move first.
Get certified before your competitors. When the Pledge launches and procurement teams start adding CE requirements to contracts, certified businesses win the work. Uncertified ones scramble. First-mover advantage is real here.
Use CE as a sales differentiator. When you are pitching to a large organisation that has signed the Pledge, “We are already Cyber Essentials certified” is the sentence that moves you from the maybe pile to the shortlist.
Build supply chain confidence. If your clients are worried about their own supply chain obligations, being the supplier that already has its house in order makes you the safe choice. In procurement, safe choices win contracts.
How to Sell This to Your Board
If you need to get budget or time approved, here are the arguments that will land:
The cost of inaction is measurable. JLR’s supply chain breach cost £1.9 billion. Suppliers six and seven tiers down the chain, businesses your size, had no involvement in JLR’s security decisions and no control over what happened to them. That is the supply chain risk in pounds and pence.
Certification protects revenue. If your largest client signs the Pledge this summer, Cyber Essentials becomes a contract condition. No certification, no contract. The cost of CE certification is a fraction of the revenue you protect by having it.
The government is moving. The Cyber Security and Resilience Bill is progressing through Parliament. The National Cyber Action Plan lands this summer. The direction of travel is clear: more requirements, not fewer. Getting ahead of this is cheaper than reacting to it.
The NCSC is handling four nationally significant incidents every week. Doubled in a year. The majority now come from nation states. This is not a theoretical risk. It is an operational reality that affects businesses at every level of the supply chain.
What This Means for Your Business
Five steps. All free or low-cost. All achievable this week.
-
Get Cyber Essentials certified now. The Pledge’s supply chain requirements are coming this summer. Certification takes four to six weeks. Start this week and you are done before the Pledge formally launches.
-
Sign up to NCSC Early Warning today. Free. Takes minutes. The NCSC will alert you if your IP addresses or domains appear in connection with known attacks. Go to ncsc.gov.uk and search for Early Warning.
-
Check your supply chain exposure. Who are your top five clients by revenue? Are any of them large enough to be in scope for the Pledge? If yes, plan for the CE requirement now. Do not react to it under a procurement deadline.
-
Ask your IT provider one direct question. “What is your plan for protecting us against AI-assisted attacks at machine speed?” If they look blank, that is your answer.
-
Audit your AI tools. If your business uses AI assistants, chatbots, coding tools, or email integrations, map what they can access and what permissions they hold. Minimum permissions. Reviewed regularly.
Good security does not have to be expensive. Stupidity always is. Right now, the most expensive thing you can do is wait for someone else to sort it.
Listen to the full episode for the complete discussion with Mauven MacLeod and Graham Falkner, including what they saw on the exhibition floor that the speeches did not cover.