How-to guide: How to manage cybersecurity risk and compliance (UK)

Introduction

This guide provides an overview of potential common cybersecurity threats that can affect organisations, as well as effective strategies for identifying and managing these risks, to minimise their impact on business operations. It also sets out some practical steps businesses can take to ensure compliance with their cybersecurity obligations and existing laws.

This guide covers:

Understanding cybersecurity threats
Internal and external organisational risks
Effective risk response
Risk mitigation strategies

This guide can be used in conjunction with the following Quick view: Understanding the cybersecurity legal and regulatory framework.

Section 1 – Understanding cybersecurity threats

Cyberattacks are becoming increasingly more widespread, sophisticated and difficult to defend against. In its 2024 Annual Review, the UK’s National Cyber Security Centre (NCSC) described the cyber threat landscape as ‘diffuse and dangerous’. These threats pose a significant risk to individuals and organisations (regardless of their size or sector) with the potential to cause severe financial, operational and reputational damage. As such, they represent a critical business risk that must be proactively managed.

One notable example is the Marks & Spencer cyberattack which severely disrupted online operations over Easter 2025. The financial repercussions were significant with projected losses of approximately £300 million due to reduced online sales and supply chain disruptions. The incident also triggered a sharp decline in the company’s share price and prompted an announcement detailing an accelerated overhaul of its digital operations.

1.1 Evolving threat landscape

While many cyber incidents involve the compromise of personal data or attacks on networks or software, that is not always the case. Increasingly, hostile actors are targeting business-critical assets such as trade secrets, strategic plans, and deal-related information. The threat landscape is expanding with emerging risks from the growing misuse of everyday technologies – including smart infrastructure like smart buildings, transportation networks and generative AI tools which can be exploited for criminal gain.

Organisations must comply with the Data Protection Act 2018, UK General Data Protection Regulation (GDPR), the Computer Misuse Act 1990 (CMA) and the Data (Use and Access) Act 2025 alongside any sector-specific obligations. Failure to implement appropriate data security provision can result in investigation and enforcement action by the Information Commissioner’s Office (ICO), including substantial fines and reputational damage. Inadequate protection of systems and data can also result in criminal liability under the CMA.

Legal and compliance teams must remain alert in the face of an ever-evolving cyber risk landscape. Adopting industry best practices and maintaining a forward-looking approach is essential. Risk management strategies must continually adapt to emerging technologies and dynamic legislative and regulatory frameworks. There is no universal solution, and effective approaches will vary depending on factors such as the organisation’s size, geographic location, industry sector and the type and volume of data it processes.

1.1.1 Assessing cybersecurity risk

Cybersecurity risk is often seen as a technical issue, but human factors such as poor judgment or lack of awareness remain one of the most persistent vulnerabilities. Social engineering attacks, such as business email compromise, exploit individuals rather than systems, relying on behavioural missteps to bypass even the most advanced security infrastructure. At the same time, non-digital threats, or ‘analogue’ breaches, remain a significant threat. Common mistakes like misdirecting emails, unsecured documents, or failing to follow basic security protocols can result in serious data loss or exposure. The global movement of data across borders has introduced an added layer of complexity and challenge with over 140 jurisdictions now enforcing privacy and cybersecurity laws. See How-to guide: How to transfer personal data lawfully outside the UK and How to transfer personal data lawfully outside the European Economic Area.

For legal teams, boards and senior managers, building a strong organisational culture around security awareness and accountability across all levels of an organisation is essential. According to the NCSC, cyber security culture means ‘the collective understanding of what is normal and valued in the workplace with respect to cyber security. It sets expectations on behaviour and relationships, influencing people’s ability for collaboration, trust and learning.’

See NCSC, Cyber security toolkit for boards and Cyber security culture principles.

Section 2 – Internal and external organisational risks

2.1 Internal threats

2.1.1 Operator error

Within organisations, some of the most common cyber security risks arise from everyday actions and human error, such as using weak passwords or sending emails to the wrong recipients, which can lead to significant data breaches. For instance, using the ‘To’ field instead of ‘Bcc’ in emails can expose sensitive information to unintended recipients – a preventable error.

Adopting stronger security measures, such as multi-factor authentication (MFA) is essential and considered best practice when handling confidential or sensitive data. The more sensitive the information, the more robust the access controls should be. For example, some banks now require an additional verification step beyond facial recognition to log in securely. The NCSC provides detailed guidance on MFA for corporate online services.

Internal errors like this account for a large proportion of security incidents and continue to offer easy openings for bad actors. Building awareness and embedding secure practices into daily workflow, regularly review and audit policies and providing staff training to raise awareness are key in risk mitigation.

2.1.2 Rogue employees

Employees who mishandle information – whether through negligence, pressure from external actors, or deliberate disregard for internal policies, continue to pose a significant cybersecurity risk. This includes actions such as copying confidential data to personal devices or granting unauthorised access to systems. Even with well-established policies in place, compliance gaps persist.

Storing client files or service agreements in unsecured drawers or saving sensitive information on personal mobile devices in breach of security protocols also presents vulnerabilities. Similarly, improper disposal of documents, such as leaving unshredded papers in bins can lead to data exposure. Mitigating these risks requires more than written policies and demands a cultural shift. Strengthening awareness, reinforcing individual accountability and embedding ‘best practices’ into everyday behaviour are essential to building a strong security culture and maintaining trust.

2.1.3 Bring Your Own Devices (BYOD)

Bring Your Own Device (BYOD) refers to the practice of allowing employees to use their personal devices, such as phones, tablets or laptops for work purposes. While BYOD can reduce organisational costs, it also introduces significant risks. Personal devices may bypass internal controls, fall outside virtual private networks, or store sensitive data locally without adequate protection.

To manage these risks, organisations must have clear BYOD and remote working policies. According to the NCSC, effective BYOD management includes robust security measures such as clearly defined usage policies, strong authentication, data encryption and the ability to remove corporate data from personal devices. It is also essential that employees understand their responsibilities when using personal devices for work. For further information see, NCSC, BYOD guidelines.

2.1.4 Contractors and third parties

Internal threats are not limited to employees. Contractors and other third parties who are granted access to computer networks (such as case management platforms or email systems) can also pose risks, including data leakage or unauthorised access.

The NCSC has issued specific guidance on managing supply chain and third-party risks. Key recommendations include applying the principle of least privilege access (ie, ensuring users have enough permissions to perform their tasks), enabling MFA, and actively monitoring and restricting access when necessary. For a detailed overview, refer to NCSC, 12 principles of supply chain security.

2.2 External threats

2.2.1 Cyber criminals

Cybercriminals, including hackers and ransomware or malware operators, are the most persistent external threats. Their tactics are evolving rapidly and one of the most common types of attack is business email compromise. This typically involves targeted social engineering, where attackers impersonate trusted contacts or institutions to deceive individuals into opening malicious attachments or clicking harmful links. The NCSC works closely with law enforcement to disrupt these activities, see White Paper on ransomware and the cyber crime ecosystem produced in conjunction with the National Crime Agency (NCA).

2.2.2 Cloud, hosted solutions, etc

Cloud services (ie, on-demand computing services accessible via the internet) and hosted platforms (ie, software managed by third-party providers) introduce additional risk exposure, especially when these systems operate outside the organisation’s direct control. Misconfigurations, poor vendor security practices, or breaches in third-party systems can lead to serious consequences, including data loss or service disruption. Organisations must proactively manage these risks through thorough due diligence, clearly defined contractual controls, and ongoing monitoring of vendor performance and compliance with security standards. See NCSC, Cloud security guidance.

2.2.3 Cyber espionage

Cyber espionage is typically associated with state-sponsored actors seeking strategic, rather than personal, information for political or economic gain. Targets often include government or defence agencies with access to critical infrastructure plans, intellectual property, or national security-related data.

2.2.4 Politically motivated hackers

These threat actors are driven by ideological or political motives rather than financial gain. They may attempt to disrupt services, expose sensitive communications, or damage reputations. Common tactics may include website defacement (eg, amending pages or disabling links), data leaks, and coordinated online campaigns. This category also includes so-called ‘social media auditors’, who scour digital content to uncover or manipulate information for political or reputational impact.

Section 3 – Effective risk response

Organisations should operate on the basis that cyber attacks are inevitable and ensure they have proactive response plans in place to react effectively when incidents occur.

3.1 Incident response plan

A detailed and well-structured incident response plan should be prepared and kept under regular review to ensure its effectiveness. Investing the time to prepare a plan will significantly help management’s ability to make informed decisions during a real incident. When preparing an incident response plan:

Clearly define what constitutes a cyber incident and assess incident responses according to type and severity to understand response plan required.
Outline measures to contain the scale of the attack and identify its cause.
Set out the steps to be taken in the minutes, days and weeks following a breach.
Understand when to escalate to external parties such as regulators, law enforcement and impacted individuals.
Consider how internal communications are managed, particularly where employee data is involved.
Consider how external communications are managed, including media statements and social media management.
Consider potential legal and operational implications of an incident.
Assign internal team members and the central point of contact with responsibility to manage the response and detail system recovery procedures. Ensure assigned team members understand the plan and the remit of their role
Build contingencies for staff not being available (eg, due to illness or holidays) to ensure critical decisions can still be taken.
Where resources permit, include a list of pre-approved external vendors (such as legal counsel, forensic investigators, and communications specialists) to support incident handling.
Build in post-incident debrief processes to evaluate the response and address any gaps.

See NCSC, Incident management guidance.

3.2 Cyber Insurance

If the organisation has a cyber insurance policy in place, it is important to consider whether it offers sufficient coverage and determine the frequency with which the incident response policy will be reviewed and tested. Carefully consider the types of losses the policy covers – such as financial, operational, and accidental losses and be aware of notification and reporting requirements under the policy. Having a cyber insurance policy not only offers financial security, especially for smaller organisations, but may also provide access to expert guidance during a cyber incident, helping to mitigate impact and support recovery efforts. See NCSC, Cyber insurance guidance and Association of British Insurers (ABI), What does cyber insurance cover?.

3.3 Client communications

Organisations should regularly review the terms and conditions communicated to customers, such as those published on websites. These documents will outline the organisation’s responsibilities in the event of data breaches or service disruptions. Failure to meet these obligations may result in contractual liability.

Effective customer communication is also essential. Striking the right balance between transparency, legal compliance and maintaining customer trust is critical. Internal and external messaging should be aligned, and staff should be given clear guidance on how to handle queries in relation to a cyber incident.

In parallel, internal policies must clearly define employee responsibilities regarding compliance and data protection.

3.4 Data breach management

Data breaches may involve various types of sensitive information. Not all incidents relate to personal data – some may concern intellectual property, commercially confidential material, or trade secrets. Where fraud or criminal activity is suspected, organisations should consider engaging law enforcement at an early stage.

When notifying affected individuals about a personal data breach, it is important to consider any applicable statutory obligations – particularly under the UK GDPR where organisations are required to notify the ICO within 72 hours of becoming aware of the breach – if the breach poses a high risk to individuals’ rights and freedoms – see How-to guide: How to deal with a GDPR data breach.

In all cases, it is essential to maintain a detailed audit trail documenting actions taken, decisions made, timelines, and any relevant assessments. Regulatory guidance, such as the ICO’s Regulatory Action Policy, can provide a benchmark for how a response may be evaluated. See Checklist: GDPR compliance self-assessment audit and How-to guide: How to reduce the risk of a GDPR data breach.

3.4.1 Incident response and recovery

When a data breach occurs, it is essential that the organisation has an incident response plan and that it is immediately triggered. Typically, such a plan involves the following key steps:

Assessment of risk – Consider the nature, scope and potential impact of the breach, including whether it poses a high-risk to individuals’ rights. Consider broader implications such as reputational damage, contractual damages, and regulatory non-compliance – always plan for the worst-case scenario. See How-to guide: How to deal with a GDPR breach and Checklist: GDPR compliance self-assessment audit.
Notification – Identify who must be notified (eg, regulators,stakeholders and impacted data subjects) and within what timeframes (especially if multiple jurisdictions are involved). Maintain an audit trail of all decisions taken, assess insurance coverage and consider the legal implications of notification.
Evaluation and remedy – Conduct a post-incident review to identify root causes, lessons learned and areas for improvement in cyber resilience. Regulators will expect evidence of remedial actions taken and proactive steps to prevent reoccurrence.
Containment and recovery – Act quickly to contain the breach and recover any compromised data or systems to limit damage.

The ICO regularly updates its regulatory action policy, so it is advisable for organisations to stay informed – see ICO, Personal data breaches: a guide and Breach response and monitoring – Accountability Framework, and GOV.UK, Where to report a cyber incident.

Other sector-specific regulatory guidance may also be available, for example, operational resilience rules and guidance from the Financial Conduct Authority (FCA) for in-scope firms – this includes the integration of robust cybersecurity measures as part of the broader resilience strategy. See How-to guide: The UK operational resilience regime in financial services.

3.5 Ransomware attack

Ransomware is a type of malicious software designed to block access to a computer system, or the data it holds. This may involve locking the device, encrypting files, or even stealing or deleting information.

Victims are usually instructed to contact the attacker via an anonymous email or web page and are then asked to pay a ransom, often in cryptocurrency such as Bitcoin, in exchange for regaining access to their systems or data. However, payment does not guarantee restoration of access, and systems often remain compromised even after a ransom is paid.

To mitigate this risk, organisations should incorporate ransomware scenarios into their regular risk assessments, routinely test their incident response procedures, and ensure that cyber risks are actively discussed at the executive and board levels. IT teams can also use email filtering to block suspicious attachments, while all staff should receive regular security awareness training to help identify and avoid potential threats.

Law enforcement agencies do not encourage or support the payment of ransom demands. Payment carries significant risks, including:

no guarantee of data recovery or restoring access to computer systems even after payment;
malicious software may remain on the system, leaving it vulnerable to further attacks;
paying a ransom supports and funds criminal activity; and
organisations that pay are more likely to be targeted again in the future.

While paying a ransom is not a criminal offence under UK law, the UK government strongly advises against it and will neither pay nor facilitate ransom payments. In addition, ransom payments are not likely to be covered by the insurance policy. See NCSC, Mitigating malware and ransomware attacks and Ransomware: what you need to know.

While not explicitly illegal, there may be legal implications for the organisation depending on the recipient of the funds. In some instances, such payments could breach laws related to money laundering or terrorist financing, particularly if the funds are transferred to sanctioned entities or individuals. Additionally, it is important to recognise that paying a ransom does not guarantee the intended outcome.

Section 4 – Risk mitigation strategies

4.1 Internal due diligence

Internal due diligence in the context of cyber attacks requires organisations to adopt a proactive and structured approach to identifying, mitigating and managing cyber risks. This includes undertaking regular risk assessments and audits, maintaining a clearly defined incident response plan (scheduling in periodic updates), ensuring internal policies are kept up-to-date, training staff on compliance requirements, and keeping detailed records of actual actions and assessments. Embedding these practices into daily operations forms the foundation of good governance, enables timely detection, containment and recovery when dealing with cyber incidents. See GOV.UK, Cyber security guidance for businesses.

4.1.1 Computer security

When it comes to computer security, resources like Cyber Essentials, guidance from the ICO, and resources from the NCSC consistently emphasise the same core principles to protect systems and data. Following these established frameworks can significantly reduce exposure to common threats and improve overall cyber resilience.

Organisations should consider the following key steps as part of their basic computer security practices:

install a firewall and reputable anti-virus-checking on all work computers to prevent unauthorised access and detect threats;
make sure that your operating system is set up to receive automatic updates of the latest security enhancements;
protect your computers by regularly installing the latest patches and security updates, which should address known vulnerabilities to safeguard systems;
only allow your staff access to the information they need to do their job and don’t let them share passwords;
encrypt any electronically stored personal information that could cause harm or distress if it were lost or stolen;
take regular back-ups of data on computer systems and store them in a separate, secure location so that if you lose your computers, you don’t lose the information;
securely remove all personal information before disposing of old computers (by using certified data wiping technology or by physically destroying the hard disk); and
consider installing an anti-spyware tool to prevent programs monitoring computer activity.

4.1.2 Email security

Email remains one of the most common channels through which sensitive information is shared and, unfortunately, one of the easiest ways for that information to be inadvertently exposed. Organisations should ensure that employees are aware of and follow clear, practical steps to minimise the risk of sending information to the wrong person or disclosing data inappropriately.

The following measures should form part of any organisation’s basic email security guidance:

consider whether the content of the email should be encrypted or password protected. The IT or security team (if there is one) should be consulted to provide encryption support;
exercise caution when selecting recipient addresses. Many email platforms suggest previously used addresses based on similar names or prefixes. It is essential to verify the name and choose the right address before clicking send;
if sending an email to multiple recipients without disclosing their addresses to each other, use blind carbon copy (bcc), not carbon copy (cc).
be careful when using a group email address. Before sending a group message, check who is in the group, confirm the membership of the list and ensure the content is appropriate for all recipients; and
if sending sensitive information via email from a secure server to an insecure recipient, security will be threatened. It is important to confirm that the recipient’s security arrangements are secure enough to protect the data before sending your message. This can be done by checking the recipient’s email domain name or using encrypted mail. See ICO, encryption scenarios.

4.1.3 Paper security

While much of today’s focus is on digital threats, sensitive information held on paper still poses a significant security risk if not handled properly. Organisations must remind employees that printed documents can be just as vulnerable to loss, theft, or accidental disclosure. Clear guidance should be in place to ensure physical documents are managed with the same level of care as digital data.

The following points should be considered in any organisation’s approach to safeguarding information held on paper:

manual data may still be personal data and subject to the same legal protections under the UK GDPR and the Data Protection Act 2018;
keep personal data and confidential information secure such as using locked cabinets or restricted access to certain cupboards;
do not throw documents in the waste bin – shred sensitive paper records and dispose of them securely;
do not leave printed documents at printers or photocopiers, particularly in shared office work spaces;
operate a clean desk policy;
establish a clear policy on taking files from the office; and
promote awareness of confidentiality risks in public spaces such as when travelling or working remotely.

4.1.4 Staff training and security

Technology and policies alone cannot protect an organisation if staff are not equipped to recognise and respond to security risks. Employees at all levels must understand their role in safeguarding information and systems. Organisations should train their staff:

so that they know what is expected of them;
to be wary of people who may try to trick them into giving out personal details; and
so that they can be prosecuted if they deliberately give out personal details without permission.

Organisations should ensure that the following elements are included in their approach to staff training and information security awareness, so as to ensure that employees:

use strong passwords – comprising at least seven characters or longer and a combination of upper and lower case letters, numbers and special keyboard characters like the asterisk or currency symbols;
do not send offensive emails about other people, their private lives or anything else that could bring your organisation into disrepute;
do not believe emails that appear to come from their bank that ask for their account/credit card details or password (a bank would never ask for this information in this way);
do not open spam – not even to unsubscribe or ask for no more mailings;
be wary of invitations to connect on social media; and
comply with all employee workplace policies around Acceptable Use, BYOD, AI etc.

4.1.5 Reporting and notification

It is essential for all staff within an organisation to understand how to report a cyber incident internally, even in situations where they may have caused the breach. Not all incidents will meet the threshold for regulatory reporting and organisations should avoid over-reporting. Consider whether specialised legal advice is necessary.

If a personal data breach requires notification to the ICO (if you are a controller of the data), follow-up enquiries are likely. These investigations may uncover further compliance gaps such as missing contracts or inadequate internal policies.

When a breach is likely to affect individuals’ rights, the organisation must notify impacted individuals without undue delay (if it meets the threshold for reporting) and where required, report the breach to the ICO within 72 hours of becoming aware of it. For further guidance, see ICO, 72 hours – how to respond to a personal data breach.

The ICO expects a clear and detailed explanation of how the breach has been assessed and managed. Notifying individuals may also introduce additional risks including reputational damage, claims of emotional distress and potential legal action.

If a breach initially appears to pose a low risk and is not reported, but later proves more serious, the organisation must be able to justify its original decision not to notify. Maintaining a clear and well-documented audit trail of all assessments, decisions and actions taken is critical.

4.2 External due diligence

When engaging third parties, especially those handling sensitive data or delivering technology services, it is essential to conduct thorough due diligence. Key steps include reviewing existing relationships and contracts and implementing structured processes for screening, onboarding and ongoing assessment of new suppliers. This ensures that external partners meet regulatory obligations, maintain robust security practices, and are capable of managing cyber and data protection risks effectively.

Considerations for evaluating external partners include:

Topic	Consideration	Practical action points
Legal compliance	Are third parties complying with applicable data protection laws? Are they registered where required?	Check registration status and regulatory compliance in relevant jurisdictions.
Breach and regulatory history	Have vendors experienced data breaches or regulatory investigations?	Request disclosures of past incidents. Conduct an audit if there have been repeated breaches.
Audit capability	Are vendors open to independent audits and reviews?	Schedule audits, especially when sensitive data is involved.
Data management	How is your data handled by external providers, including subcontracting and staff vetting?	Request details of data management procedures, subcontracting controls, and vetting processes.
Data protection officer (DPO) appointment	Do vendors have a DPO where legally required?	Verify presence of a DPO or determine if one is necessary.
Fair processing and data sharing	Are privacy notices provided, and is there a lawful basis for sharing data with your organisation?	Ensure legal basis for data sharing exists and is documented.
Cookie technology	What tracking and cookie technologies are in use by vendors?	Review use of cookies and other tracking tech for compliance.
Data breach response	Do they have a data breach policy and response procedure?	Request their breach response plan and test alignment with your internal process.
Cybersecurity and information security	How do they manage cyber and information security risks?	Review their security frameworks and protocols. Ask for certifications or internal policies.
Risk evaluation	How do you evaluate cyber risk in your own organisation?	Define your risk appetite. Tailor evaluations based on business type and regulatory requirements.
Internal security leadership	Do you have a chief information security officer or equivalent?	Appoint appropriate leadership for managing cyber risk.
New technology assessments	What assessments are in place for new technologies (AI, data protection impact assessments (DPIAs), etc)?	Conduct AI assessments, DPIAs, and privacy by design reviews when implementing new tools.
Patch management	How are software fixes and patches handled?	Establish and enforce patch management protocols.
Remote work and BYOD policies	How is remote work and BYOD usage managed?	Develop and communicate clear policies for secure remote access and BYOD use.
Cyber attack preparedness	Is there a cyber attack response plan? Do employees know what it is?	Create and train teams on cyber incident response plans. Conduct regular testing.
Cyber insurance	Does your organisation hold cyber insurance that reflects its risk exposure?	Review insurance coverage details and limitations. Ensure policy matches your risk exposure. Consider notification and reporting requirements.