Cybersecurity Demystified: UK Govt initiatives to strengthen cyber resilience in the UK Artwork

Intertek's Assurance in Action Podcast Network

Welcome to the Intertek Podcast Network, Assurance in Action, your hub for quality insights and information from our Intertek experts. Learn what our people are saying about important industry trends ranging from food safety standards to supplier management and everything in between! With new and recurring guests, we are poised to provide you the knowledge needed to enhance your business processes, operations, and safety.

All Episodes

Intertek's Assurance in Action Podcast Network

Cybersecurity Demystified: UK Govt initiatives to strengthen cyber resilience in the UK

December 18, 2025 • Intertek Business Assurance • Season 8

In the third episode of our ‘Cyber Security De-mystified Podcast Series’, Steve Ramsden, President Information Security at Intertek meets with guest speaker Irfan Hemani -Deputy Director for UK Cyber Security & Resilience Policy at Department for Science, Innovation and Technology – DSIT to talk about UK Govt initiatives aiming to strengthen cyber resilience and what this means for UK organisations.

Speakers:

Steven Ramsden: President of Information Security at Intertek
Irfan Hemani : Deputy Director for UK Cyber Security & Resilience Policy, DSIT

Welcome to the third in our ‘Cyber Security De-mystified Podcast Series’.

Today we are talking about UK Govt initiatives to help strengthen cyber resilience for the UK. I’m Steve Ramsden, President of Information Security at Intertek and I’m delighted to welcome our guest speaker – Irfan Hemani. Irfan Hemani is Deputy Director for UK Cyber Security & Resilience Policy at Department for Science, Innovation and Technology – DSIT.

Irfan is responsible for the Governments work to improve cyber resilience across the UK economy, including the recent Cyber Security & Resilience Bill, Product Security laws and the Resilience Pillar of the National Cyber Strategy. He is also the author of the Harvard Belfer Center's National Cyber Power Index and previously worked in Deloitte's Technology Risk Advisory team.

In our podcast today to help us unpack what this means for your organisation, we’ll explore practical steps you can take, and learn how to turn policy into protection.

Irfan Hemani (DSIT)
Thanks for thanks for having me. I really appreciate the chance to come and speak to you.

Steven Ramsden Intertek
So there’ve been major steps forward in cybersecurity from the UK Government. I'd like to discuss with you Irfan and how this impacts our listeners. So my first question is what is the UK's policy and approach in making the UK cyber resilience?

Irfan Hemani (DSIT)
I think it's probably worth saying that that the UK’s approach on cyber policy isn't around just the cyber resilience of the UK, it fits into the broader government agenda of growth. So listeners may have heard the government talk a lot about growth being a political priority for this government and within that, digital technologies and digital growth is an important part of how we achieve that. And if we are going to use digital technologies as best as we can and to create economic growth and support businesses, they need to be cyber resilient. We can't be building a digital economy that doesn't have secure foundations. So the government's approach on this is to make sure that that technology that's being used actually allows companies to be secure and resilient and depend on it for their business operations. It's also to protect UK’s national security interests so we see increasing set of threats from not just criminals, but also state actors and UK’s national security interests are key in the whole why we are doing what we're doing on cyber resilience. That being said, there are three key parts of the UK Cyber resilience policy:

#1 One is to reduce cyber risk at source and at scale by making technology secure by design. So that means that when technology is downloaded, plugged in or switched on by customers and consumers and businesses, that it already has some level of cybersecurity so people can feel confident about using it.

#2 Then it's to make sure that organisations in the economy are able to be resilient to cyber attacks. That's everything from government systems in government services to critical infrastructure and small businesses and medium enterprises across the economy.

#3 The third one is in order to do any of that, and those other two, we need to have a cyber sector that is able to service the needs of the businesses that require their services. So making sure that there are companies out there that can provide reliable cyber services to the economy.

Steven Ramsden Intertek
And following on that, another question I have for you is can you tell me more about the UK legislation for cybersecurity, especially around critical national infrastructure and product security?

Irfan Hemani (DSIT)
Yes, so I mentioned those three tenants of UK cyber resilience policy, on the secure technology side, so making sure technology is secure by design, we have the Product Security Act. And that is a requirement that if connected technology, so IoT devices - are sold in the UK to customers, they by law have to have a minimum set of cybersecurity requirements. And that's based on an international standard.

Listeners might know the ETSI EN 303645 Standard, a really important one and we use it within the UK's law so that is making technology in the UK physical products that connected to the Internet more secure and outside of that we have codes of practice for software, for AI and for apps and app stores to make sure those technologies are secure by design. And then on the resilient organisations part, we currently have Network and Information Systems (NIS) Regulations in the UK, but two weeks ago (12 Nov, 2025) the Government introduced updates to that law called the Cybersecurity and Resilience Bill, and that will basically mean that companies within five sectors.

So the UK’s current regulations for the cyber security of critical infrastructure cover energy, transport, health, drinking water and the digital infrastructure sectors, and we're looking to expand those to include Data Centres, managed service providers and other infrastructure in energy as well as critical services of all those companies in those sectors.

There’s five sectors and digital service providers have to meet minimum requirements for cybersecurity to ensure that they can prevent and withstand cyberattacks. The law updates that to increase the number of sectors that are in scope of that law, but also brings in managed service providers and critical service providers to the scope of that law. So we've seen over the last five or more years that cyber attacks are now happening a lot more through supply chains and through managed and digital service providers, but they weren't required to have minimum standards under previous law. So we're looking to change that and update the requirements that we are asking companies to adhere to.

Steven Ramsden Intertek
That's excellent, Irfan. Thank you so much. It's a lot as you can see, there's a huge amount of work being done and I can see you must be extremely busy behind the scenes there, Irfan. My next question is around just recently the government has written two letters to industry. One to the UK's biggest companies and one to small businesses. Can I ask you, why are you doing this and what is it you are actually asking companies to do?

Irfan Hemani (DSIT)
Yes so, the law I've just talked about is going through Parliament, but I think more broadly than that, we don't just need critical infrastructure companies to do better on cybersecurity, we need all companies across the economy to up their game. The level of threat that we're seeing has increased dramatically in the last five years, and we don't think companies are as ready as they need to be to withstand that. So last month four Cabinet Ministers, The Head of the National Cybersecurity Centre and the Head of the National Crime Agency wrote to UK’s biggest companies to say there are things that we expect these companies to be doing to improve their cybersecurity.

One of them is also a theme throughout all of our resilience work is that cyber risk needs to be managed at the Board Level. We currently see that when cyber risks are discussed at board level, the answer is often to say this is a technical issue and kick it down to CTOS or CSOS. There's usually incredibly qualified people who are able to do some great things in protecting organisations, but cybersecurity isn't just a technical issue. When you're talking about resilience and being able to recover from a cyber attack, the whole organisation needs to be involved and even if we're talking about getting your cyber security right, CSO's and CTO's need resources and they need cooperation with Procurement and Legal and other parts of the organisation to be able to do this well, so point 1) on the letter was for companies to follow the Cyber Governance code of practise which we released earlier this year to make cyber a board priority to hold management accountable for managing cyber risk. Boards do an excellent job and are experts in risk management and understanding risk and making sure that these are kind of understood and looked at within organisations and we need cyber to be treated in the same way as any other risk so step one was the governance code of practise being implemented in organisations.

2) We also asked companies to ensure that they are at a minimum, doing the five controls that are requested in the Cyber Essentials Certification, but we appreciate that the biggest companies will have much more mature and much more sophisticated frameworks, but they should at least cover those 5 essential controls, but also that, because we've seen such a lot of cyber attacks through supply chains, that companies should be requiring their suppliers to have at least Cyber Essentials. So we ask companies to secure their supply chains and using Cyber Essentials as a tool to do that.

And then the other one was to sign up to the NCSC early warning system just to give them basic over overviews on what kind of threats they're facing, but again we know that organisations will have a lot of tools in place but we think that the early warning system is a good way to supplement that.

The other thing that the letter to the biggest company talked about was making sure that the companies have a recovery plan in place. So they are able in the event of a devastating cyber attack to continue operations at some kind Level and to expect that operations may not have the full kind of digital access that you had for a number of days or weeks. The letter also talked about the need for all consideration of cyber insurance as well. I think that's really important way of mitigating and managing risks within organisations.

Steven Ramsden Intertek

Thank you, Irfan. Cyber Essentials features in both in different ways. What is it and how can it be used as a tool for cyber security by companies?

Irfan Hemani (DSIT)
It's essentially a foundational set of cybersecurity controls that we would expect a company to have at a minimum. It's things like firewalls, multi factor authentication, it's making sure your systems are patched and a couple of other things. Also having an antivirus is one of them. It also strongly recommends having backups as well because having controls in place is brilliant and absolutely necessary in reducing the likelihood of an attack. But if an attack does get through, companies need to be able to recover, particularly if you suffer a ransomware attack and need to recover data, having protected offline or separate backups is a really important part of that. Cyber Essentials asks you to have those controls. And then there is a Cyber Essentials Plus certificate you can get if you have your controls tested or audited externally.

Steven Ramsden Intertek
Thanks Irfan. That's really good, and definitely we push Cyber essentials and Cyber Essentials plus and we do those at Intertek.

Irfan Hemani (DSIT)
There are, lots of things out there and I think the beauty of Cyber Essentials is that it's really simple for people, for organisations to understand in some instances and for some companies, having Cyber Essentials might not be the right thing.

You might want to look at ISO 27001 and one for bigger companies. We also ask people to look at the cyber assessment framework as well, which is slightly more appropriate for more complex organisations, but Cyber Essentials I think is really easy for companies to understand.

Steven Ramsden Intertek
And leading on to that, how about larger organisations such as FTSE companies themselves? Should they? What's your view on red teaming? What do you think about Red Teaming and the benefits?

Irfan Hemani (DSIT)
There's lots of things that larger, more complex organisations will need to do so, you know, I talked about the cyber assessment framework as an example and within that, you're really asking companies to have governance processes and systems around various things. Red Teaming is a really good way to understand where you might have vulnerabilities, where there are things that you may not have thought of in your cyber defences that an attacker will be able to exploit. I think that's a really good starting point to understand where your weaknesses are. But then you also need the controls in place after that to be able to address those, so things like having a patching regime is really important. Having a patching regime where you're testing as well to make sure that your patches aren't destroying your system. So I think things like Red Teaming are important, but then we also need to be looking at what the response is to that and I think having a system which has good governance within an organisation to address all of that is really important.

Steven Ramsden Intertek
Moving on, another question I have for you, the letter stresses the importance of rehearsing business continuity and recovery plans. How do you see companies getting prepared to respond to a major cyber incident?

Irfan Hemani (DSIT)
So the reason that was in the letter in the first place is because we think not enough companies are prepared. At the last Cyber Breaches Survey, which is the official UK statistic on this, I think it was only around 30% of companies have a cyber incident response plan - that means 70% of companies are not sure what's going to happen in their organisation if they have a cyber attack. So first I don't think enough companies are doing this and then the other point which I talked about a little bit before is that this can't just be an IT or a cybersecurity team that are doing the continuity planning and rehearsing. I think because if tech goes down it's not a Tech team issue. It's an entire organisation issue. So I think having a whole of system, a whole organisation response and planning is really important. But there are lots of good tools and companies out there that can help navigate this.

Steven Ramsden Intertek
Absolutely, I think that's such a key point. What you say- it's rehearsing business continuity and recovery levels. Just moving on, the small medium enterprises, there's a lot out there in the UK what are the key things that you're doing for helping small medium enterprises?

Irfan Hemani (DSIT)
So most of the UK economy is small and medium enterprises. I talked about the letter to UK’s biggest companies, we actually had another letter sent out yesterday to small and medium businesses around the UK and it was different to the ones to the big companies because obviously we recognise that the size of the organisation means that different things are appropriate. A lot of these companies won't have boards, so the Cyber Governance Code of Practice might be a helpful tool for business owners, but there might not be a board to actually implement it, but what we have done is we've asked companies to get Cyber Essentials. I think that's key .

Cyber essentials is really a foundational certification and is really useful for all businesses but particularly good for small companies and medium enterprises as well. The other thing that's great about Cyber Essentials plus if you get the external verification is that you, if you're a small company you're given £25,000 of insurance cover for free, which means that if you suffer a cyber-attack, you have a phone number that you can call to get incident response and recovery in the event something happens, which is I think you know £25,000 for a small company on incident recovery is a life saver, for some companies, the other side of it is that if you have cyber essentials, you're 92% less likely to make a claim on your insurance because you have those controls in place in the first place. So it's a really good scheme, it's a government-backed scheme and that insurance is free once you've got the certification.

The other thing we asked is that small and medium companies sign up to the NCSC early warning system again as a way to help them identify when there are cyber threats that are facing. And then I think we also talked about the importance of insurance outside of those two, so not everyone will be eligible for the free insurance, but, insurance is a really important way for companies to be able to mitigate financial impact of cyber attacks. We undertook and published some research recently and I think it said that the average cost of a cyber attack to a small business is around £200,000. And so if you don't have insurance and if you don't have incident response plan ready, and you don't have that incident recovery number to call, that is devastating for businesses.

Steven Ramsden Intertek
That's absolutely just so important for many companies in the UK to look into Cyber Essentials, Cyber Essentials Plus. And like you say, it's vital to them. So I’m going to end there almost.Just before I end. Is there anything else you would like to add before we close Irfan? From your perspective, anything else you'd like to add that you've not mentioned before?

Irfan Hemani (DSIT)
So we talked about what we're doing for small and medium enterprises and I talked about the letter, Cyber Essentials and the NCS early warning service and insurance, I think the other thing that's really important is a lot of what we're doing through legislation is to make life easier in cyberspace for companies. So when we look at things like our Secure by Design approach with the Product Security Act and other codes of practise, what that means is the technology that's then used by small and medium enterprises is more secure in the cyber security and Resilience Bill, we're requiring digital and managed service providers to have higher security standards for their services. Those digital and managed services are used by small and medium enterprises, if you think the cloud services, the kind of IT help desk stuff. So the picture we're trying to create in the UK is that services are more secure and resilient and that companies can rely on them and that in particular means that some of the burdens of cybersecurity on small and medium enterprises are reduced.

Steven Ramsden Intertek
So just to say thank you very much Irfan for a wonderful interview and I'm sure all the listeners on this podcast would have got something from this and I think the work that you that you're doing behind the scenes is really excellent and really pushing cyber resilience for the whole of the UK so thank you for all your efforts, really great to have you on the podcast.

So how can Intertek support in driving cyber security resilience? Intertek empowers organisations to build digital trust by design, unifying cyber security, safety, privacy, transparency, and accountability—into digital products, systems and AI ecosystems. Our Intertek AI² programme is the world’s first independent, end-to-end assurance framework for AI — giving clients a competitive advantage through smarter, safer, and more trusted AI solutions.

We provide regulatory expertise to help navigate emerging regulations, ISO standards, and global frameworks. From certification to ISO 27001 Information Security and ISO 42001 AI management systems and associated training courses, to tabletop exercises and cybersecurity resilience testing from penetration testing to advanced RED and Purple teaming.

We deliver truly independent end-to-end assurance solutions to help you mitigate risk and protect your business and digital and AI ecosystems.

Discover more at intertek.com/assurance/cyber-security or email ukenquiries@intertek.com.