The Comfortable Lie: Why UK Cybersecurity's Status Quo Is No Longer Defensible
I've spent this week being diplomatic. Building frameworks. Citing evidence. Offering proportionate solutions with small business protections carefully designed.
Today, I'm done being diplomatic.
The current state of UK cybersecurity enforcement is a national embarrassment. We have regulations that don't regulate. Enforcement that doesn't enforce. Consequences that aren't consequential.
And we pretend this is acceptable because admitting otherwise would require actually doing something.
The Comfortable Lies We Tell Ourselves
Lie #1: "Fines deter bad behaviour."
British Airways faced a £20 million fine. You know what £20 million is to BA? Roughly one day's revenue. The cost of doing business. A line item in quarterly reports that analysts barely notice.
Nobody at BA lost their job. Nobody faced prosecution. Nobody had their career affected. The fine came from company funds, not personal bank accounts. Directors remained as insulated from consequences as they were before the breach.
If your penalty for negligence is less than one day's revenue and zero personal consequences, it's not a deterrent. It's a tax.
Lie #2: "Guidance and education will improve security."
The NCSC publishes excellent guidance. Genuinely world-class materials available for free. Cyber Essentials provides clear, achievable standards. The information is available to anyone who wants it.
But information without consequences is suggestion, not enforcement.
We've had 20 years of guidance. Security awareness campaigns. Best practice frameworks. Educational initiatives. And breach rates continue climbing. Data compromises affect more people every year. The same basic failures - unpatched systems, missing MFA, default passwords - appear in incident after incident.
Education helps motivated organisations. It does nothing for organisations that simply don't care.
Lie #3: "Breaches are inevitable - even good security can't stop determined attackers."
True for sophisticated nation-state attacks. Absolutely false for the vast majority of breaches affecting UK businesses and citizens.
Look at the actual breach reports. Default passwords. Unpatched systems months after critical updates released. MFA disabled for "convenience." Backup systems that haven't been tested in years.
These aren't sophisticated attacks overcoming determined defences. These are basic failures by organisations that couldn't be bothered.
The "inevitability" narrative is cover for negligence. It lets organisations shrug off responsibility for preventable failures by pointing at unstoppable threats.
Lie #4: "Director liability would be disproportionate and harm business."
We already have director liability for health and safety. Has it destroyed British industry? Have companies fled to jurisdictions without safety requirements?
No. British workplaces are among the safest in the world. Companies adapted, invested appropriately, and continued operating profitably. The sky didn't fall. Directors didn't emigrate. Industry transformed for the better.
The "disproportionate" argument is pure lobbying. It protects negligent executives at the expense of citizens whose data they fail to protect.
The Human Cost of Comfortable Lies
Behind our policy debates are real people suffering real consequences.
The Synnovis Attack:
A ransomware attack on the NHS pathology provider in 2024. Services disrupted for months. Blood tests delayed. Cancer diagnoses postponed. Procedures cancelled.
And - though difficult to quantify precisely - patient deaths attributable to those delays.
The ICO? Still investigating. Months later. No prosecution. No meaningful accountability for whoever made the decisions that left systems vulnerable.
Meanwhile, someone who neglects workplace safety and causes a death faces prosecution within months, potential prison time, and permanent career consequences.
The disparity is obscene.
Identity Theft Victims:
Every major breach creates thousands of identity theft victims. People spend years cleaning up credit damage, disputing fraudulent accounts, and living with the anxiety of compromised personal information.
These aren't abstract statistics. These are parents dealing with fraudulent credit applications in their names. Elderly people losing savings to scammers armed with breached personal details. Young adults starting careers with credit history damaged by identity theft.
The organisations that failed to protect this data face fines that amount to accounting adjustments. The victims deal with consequences for years.
Small Businesses Destroyed:
The statistic is grim but consistent: approximately 60% of small businesses that suffer significant cyber attacks cease trading within six months.
These are real businesses. Real owners who invested everything. Real employees who lost jobs. Real families affected by preventable failures at organisations that held their data and couldn't be bothered to protect it.
Where's the accountability for the upstream failures that enable downstream destruction?
The Enforcement Disparity Is Indefensible
Let me be absolutely clear about what we're comparing:
Workplace safety failure causing one death:
HSE investigation within days
Potential prosecution within months
Directors personally liable
Prison sentences possible
Criminal records permanent
Career consequences lasting
Data breach affecting 500,000 people:
ICO investigation dragging months or years
Corporate fine negotiated down significantly
No personal prosecution
No individual accountability
Directors continue in roles
Maybe a press release expressing "regret"
This is not proportionate. This is not rational. This is regulatory capture dressed up as measured response.
Why Nothing Changes
The comfortable lie persists because powerful interests benefit from it.
Directors benefit. No personal risk means no personal concern. Cybersecurity remains IT's problem, not the board's problem.
Consultants benefit. Compliance theatre generates enormous fees for certification, audit, and advisory services without requiring actual security improvement.
Insurance companies benefit (short-term). Lower security investment means lower premiums in competitive markets. The industry races to the bottom on requirements.
Politicians benefit. Avoiding confrontation with business lobbies is easier than implementing effective regulation.
Who loses? Citizens whose data gets compromised. Small businesses destroyed by upstream failures. NHS patients whose treatments are delayed. The economy that absorbs £27 billion in annual cyber crime costs.
The people who lose have less lobbying power than the people who benefit. So nothing changes.
What I'm Actually Proposing
After this week of frameworks and evidence, let me be clear about what I'm advocating:
Not mass prosecution of small businesses. Tier One protections are explicit. Cyber Essentials provides safe harbour. Liability only for gross negligence - wilful failure despite warnings and opportunity to act.
Not impossible standards. The five Cyber Essentials controls are achievable, affordable, and effective. Nobody's asking for Fort Knox.
Not punishment for bad luck. Sophisticated attacks that defeat reasonable defences don't trigger liability. We're targeting negligence, not misfortune.
What I am proposing:
Personal accountability for directors who consciously ignore security. Criminal consequences for decisions that put millions of people at risk. The same enforcement approach that transformed workplace safety applied to digital security.
The evidence that this works is overwhelming. The HSE proved it over 50 years. International jurisdictions are implementing it now.
The only barrier is political will and comfortable lies.
The Choice Before Us
Britain stands at a crossroads.
Path One: Continue the comfortable lie. Incremental fine increases. More guidance documents. Enhanced recommendations. Another decade of rising breaches, increasing costs, and preventable harm to citizens.
Path Two: Implement what demonstrably works. HSE-style enforcement. Personal accountability. Proportionate standards with clear safe harbours. Transformation of UK cybersecurity culture within a decade.
The first path is easier politically. It avoids confrontation. It maintains comfortable relationships with industry lobbies.
The second path actually protects people.
My Challenge to Readers
If you've followed this week's content and you agree that change is needed, do something about it.
Contact your MP. Not a form letter. A personal message explaining why cybersecurity enforcement matters to you, your business, or your community.
Share this conversation. Business owners need to understand both the risks and the reasonable protections available.
Implement security in your own organisation. Regardless of regulation, Cyber Essentials protects your business and your customers.
Reject the comfortable lies. When someone says breaches are inevitable or enforcement is disproportionate, ask them to justify that position against HSE's proven success.
The status quo benefits people with lobbying power. Changing it requires citizens with enough motivation to demand better.
A Final Thought
In 1974, workplace safety in Britain was a disaster. Workers died in preventable accidents. Companies calculated that injuries were cheaper than prevention. Enforcement was effectively non-existent.
Fifty years later, Britain has some of the safest workplaces in the world. Not because technology improved. Not because companies suddenly discovered ethics. Because regulations got teeth and directors faced consequences.
We did this once. We can do it again.
The question is whether we care enough about digital safety to demand the same transformation we demanded for physical safety.
I think we should. I hope you agree.
