Monday 6 July, 2026
[email protected]
Resilience Media
  • News
    • Events
    • Interview
    • Startups
    • Venture
    • Weekly Digest
  • Resilience Conference
    • Resilience Conference Warsaw 2026
    • Resilience Conference Copenhagen 2026
    • Resilience Conference London 2026
  • About
  • Guest Posts
    • Author a Post
  • Subscribe
No Result
View All Result
  • News
    • Events
    • Interview
    • Startups
    • Venture
    • Weekly Digest
  • Resilience Conference
    • Resilience Conference Warsaw 2026
    • Resilience Conference Copenhagen 2026
    • Resilience Conference London 2026
  • About
  • Guest Posts
    • Author a Post
  • Subscribe
No Result
View All Result
Resilience Media
No Result
View All Result

National defence requires much better cybersecurity advice for citizens

If the UK is serious about taking a whole of society approach to cybersecurity, it needs to develop a register of secure hardware, software and services for small organisations and individuals. 

Mark PhilpottEd HarebyMark PhilpottandEd Hare
July 6, 2026
in Cyber, Guest Posts
closeup photo of turned-on blue and white laptop computer
Share on Linkedin

National security in Europe is being challenged daily by adversaries – mainly Russia – from cyber attacks and grey zone sabotage operations. Several high profile figures (politicians and military commanders) have commented that a “whole of society” effort will be required to defend our continent in the face of these kinds of conflicts.

You Might Also Like

JLR hack attribution turns spotlight on Britain’s offensive cyber capability

Israel says Iranian cyberattacks triple as hacking groups unite

Irish space tech firm Ubotica raises $11M

That will include defending our nations in cyberspace, and it will not be limited to defending government agencies, military bases, critical national infrastructure and defence companies from malicious hackers. Cyber warfare is a highly effective economic weapon that can be used against all large enterprises, SMBs and every resident who uses the internet in our nations.

As recent high profile attacks on Jaguar Land Rover, Marks and Spencer and the British Library demonstrate, even large organisations remain highly vulnerable.

And the average person pays the price. The British tax payer was obliged to extend a £1.5 billion loan guarantee to support Jaguar Land Rover’s recovery.

If a future mass cyber attack were considered to be part of a war, cyber insurers might refuse to cover the costs of recovery, and the government would not be able to bail out every affected business. Many large organisations might shut down in such a scenario, with devastating economic and social consequences.

Meanwhile, small organisations (0-49 personnel) account for 99.2% of all UK businesses, but often have little or no cybersecurity. Towards the ‘micro’ end of this segment (1-9 personnel), there is often little or no differentiation between business and personal systems. Employees often use personal phones or even personal laptops, and even if they don’t, employees often have admin privileges on work devices, meaning they can install whatever software (or malware) they wish. Even the approved software and cloud solutions implemented by these organisations are often consumer-level tools with poor security.

For example, one of the authors here recently assisted a startup dealing with extremely sensitive client data. The firm was using free, consumer webmail and file sync and share solutions. It gave each employee the admin password for their work laptop, and each employee used a personal phone. For many cloud services, the company maintained only one account, which was shared by every employee. Passwords were insecure, often shared across several different cloud services, and stored in an unencrypted spreadsheet to which all employees had access.

Unsurprisingly, it was soon discovered that multiple machines were infected with malware.

Very obvious issues such as search redirects in browsers had gone unnoticed or, at least, unreported. Former employees retained access to sensitive company resources. Links to confidential folders were not password protected, and were accessible to anyone on the internet.

Such IT setups for very small companies are not exceptional: virtually all firms with under 10 employees will to some extent blur personal with work systems.

Which brings us to the personal devices and residential networks of the citizenry. While significant progress on securing mobile and desktop operating systems has been made over recent years, the application market remains the Wild West.

Some of the world’s most popular consumer apps are developed by firms based in adversarial countries. Malicious apps and browser extensions are frequently identified and removed from official marketplaces, despite a range of automated checks designed to prevent them from becoming available in the first place.

Often, these malicious apps and extensions tie back to a relatively small number of prolific cyber crime developers, usually shielded by, and under the ultimate control of, those same adversary countries, and some of them have hundreds of thousands or even millions of users by the time they are identified as malicious.

There is increasing evidence that hostile state-sponsored actors are developing and promoting apps and extensions that seemingly appear legitimate in order to build a substantial user base, waiting for the day when access to those devices and the traffic to and from them might be useful. State-sponsored actors are also now heavily targeting shared code libraries. These are integrated into many different applications, giving these supply chain attacks devastating potential.

But the uncontrolled nature of consumer and small business apps is only part of the story.

There is an ever-increasing array of Internet of Things (IoT) devices in every small business and home, from smart speakers, to washing machines, to security cameras. The shockingly insecure state of most of them means that a national-scale attack on small business and home networks could enable an adversary to wreak havoc at a time of their choosing.

Unsecured devices can be hacked, of course, but that may not actually be necessary since recent research shows that even devices sold by major retailers now often come pre-loaded with malware, largely controlled, once again, by cyber crime groups based within adversary countries. Compromised IoT devices can be recruited to form part of so-called botnets; networks of devices controlled remotely by an adversary to do their bidding.

But what bidding? Well, that would be up to the adversary. Botnets are routinely used in Distributed Denial of Service (DDoS) attacks, and the trend towards ever larger DDoS incidents points to the scale of an attack that could be launched if the hybrid war escalates. In 2011-2013, attackers suspected to be linked to the Iranian state caused significant disruption to US financial institutions with a DDoS attack that peaked at around 140 gigabits per second.

Fast forward to 2026, and a private cyber crime group behind the Aisuru-Kimwolf botnet launched a DDoS attack that reached 31.4 terabits per second – nearly 230 times larger than a state-sponsored attack 15 years earlier.

But an adversary could also simply sabotage the IoT devices under its control en masse. In 2016, for example, the cyber crime group behind the Mirai botnet exploited vulnerabilities in a number of router models to disrupt the internet connections of 100,000 customers in the UK, and 900,000 in Germany.

In the future, our adversaries might simultaneously push malicious updates to the apps and extensions under their control to either temporarily brick or seriously decay the performance of the computers and phones that they are installed on.

This could lead to huge social and economic disruption. It would dramatically decay both the ability of the government to communicate with the populace, and the ability of individuals to cope with the wider crisis of a nationwide cyber attack. It would also likely have a severe psychological impact on the population as a whole.

Or the attackers could use control over apps, extensions, smart TVs and speakers to broadcast messages to intimidate the population and spread disinformation.

Western nations are reported to have carried out this exact type of attack. By some media accounts, in the opening days of the recent attack against Iran, the US and Israel took over a popular app with around 5 million users to convey a message to Iran’s population and its military. Similarly, our adversaries could use their control over many popular apps, extensions, smart TVs and smart speakers to broadcast messages to intimidate our populations and spread disinformation.

Another possibility is initiating widespread power-sapping activity on attacker-controlled devices to cause a power surge at an unexpected hour, indirectly attacking the power grid. Attacking critical national infrastructure may not require hacking CNI infrastructure itself.

If the UK’s population is to play its part in defending against these types of attacks, it’s going to need some help.

The NCSC – the UK government’s National Cyber Security Centre – has a mandate to play an essential role in defending against those attacks, as it lays out in its own mission statement: “Our mission is to make the UK the safest place to live and work online so that everyone – whether at work or at home – can navigate the cyber landscape safely and with confidence.”

Since its inception almost a decade ago, the NCSC has become a trusted source of cybersecurity advice in the UK. All EU nations have their equivalents; it is a very wise requirement of EU membership.

What the NCSC could do

The NCSC’s website is a well-designed, intuitive platform that guides concerned users through a structured assessment of their own cybersecurity requirements, pointing them towards remediation advice where it is needed.

But while this much needed advice is welcome, it often doesn’t go far enough. Scan through the pages of advice on the NCSC’s excellent website and you couldn’t fail to notice a couple of things. First, there is a lot of it. Far too much for even the keenest cyber nerd to want to read. Second, it often doesn’t tell the reader precisely what is required of them.

The NCSC does recommend that we use key pieces of technology to keep our personal data and small business or home networks secure. Anti-virus software, password managers, and VPNs are a few examples.

But the NCSC doesn’t tell us which products to use. Instead, it provides guidance on the technical features and specifications we should be judging a candidate piece of software against. This technical due diligence is beyond the expertise, and frankly interest, of most citizens. Will your elderly parents or grandparents be determining which vendor is a “trusted vendor”? Is it fair to expect a hard-pressed small business owner, acting as their own CMO, CFO and Head of HR, to work out how to block access to USB ports on company machines? Of course not.

So what do people do? They make ill-informed decisions. Or no decisions at all. Our governments should recognise that digital overload is real. It is too much to expect most people to devote the time needed to carefully select the right solutions.

If our government wants us to do our part in protecting networks and data, it should step up and tell us exactly how.

The NCSC should develop a national register of approved hardware, software and cloud services that follow secure by design principles, which are transparent about their ownership and that are based in safe jurisdictions.

For each security tool that the NCSC advises citizens to adopt, a list of approved solutions should be provided, and continuing the NCSC’s existing website design, an intuitive set of simple questions should be used to guide users to the solutions that best meet their needs. The register should be regularly refreshed to make sure that its recommendations remain current, because the level of security offered by any given vendor can change over time.

The UK has a free market, where vendors should in general be free to compete without the government preferencing one over another. Many in government will therefore be understandably reluctant to consider such a broad ranging register since it risks being perceived as tipping the commercial scale towards specific favoured vendors.

But while that is a sound principle in general, the scale of the cyber threat and the speed with which it is developing requires that we find a way to work around such qualms where that is necessary to secure the nation.

The NCSC, with the Department for Science, Innovation and Technology (DSIT), has already taken steps down this road by launching a Software Security Code of Practice and a small network of Cyber Resilience Test Facilities, which technology vendors can work with to get certified. These are valuable programmes, but they are pitched primarily at helping large organisations with IT and procurement teams make informed risk-based decisions about what solutions their organisations implement.

In contrast, the national register that we are proposing would be designed squarely to guide individual citizens and small business owners, not large organisations.

It would provide specific approved solutions in every major category of technology. Citizens would not need to digest a complex risk-based certification report. They would simply pick a solution from the register.

And the national register would not, in fact, be a certification programme as such, in which each vendor needed to sign up, devote considerable effort to compliance, and pay for expensive audits. That kind of programme works for vendors wanting to sell to government or highly regulated enterprises, but it would simply never scale in the way required.

Instead, our government should staff up a large team of full-time reviewers whose job is to proactively analyse existing commercial solutions. While reviewers could seek the cooperation of vendors, they would mainly assess vendors based on publicly available data.

For example, reviewers would consider the headquarters jurisdiction of each vendor, its ownership, whether it openly publishes its security policies and what those policies are, how many internal security personnel it employs, any documented history of breaches, the security features it offers, its data processors and infrastructure providers (where visible), and so on. To meet the challenge of our changing world, any vendor based in adversary countries should be automatically barred from the register, regardless of its other merits.

This kind of security review is far from perfect. But the same is true of even the most extensive and expensive certification audits. And our suggested approach has the very significant advantage of speed and scale. We no longer have time for lengthy consultation periods and incremental roll-outs that don’t genuinely move the needle on which solutions our citizens are actually buying. We need this national register quickly.

And the government should fund the NCSC to launch a national-level public safety campaign for this register so that individuals and small business decision makers up and down the country learn about it where they already are: in their social media feeds, in television advertising, on billboards, at events.

National-level public information campaigns around critical health or economic issues can serve as a useful model here. Current social divisions will mean that some people will be suspicious of any products recommended by the government. But many, many others, confused and worried about cybersecurity, will be grateful for simple guidance that cuts through the noise and allows them to choose secure solutions without the burden of doing their own research.

A large proportion of the populace is keen to do its bit to support national defence. But they are busy and often confused. Give them the clear guidance they need to play their part in this national effort.

Mark Philpott is a security specialist based in London. After spending the first half of his career working for the UK government, he moved into consultancy advising governments and commercial organisations globally on security matters.

Ed Hare started his career in the diplomatic corps. He then moved into consulting, initially training government agencies and then specialising in working with large international technology firms to improve their competitive strategies around AI, big data, cloud and cybersecurity products. Ed also led many cross-border due diligence projects and investigations.

As the cybersecurity threat worsened in the 2010s, Ed took charge of security for his small consulting firm. He founded Keosetech in 2022 to help small organisations in high threat sectors such as defence with cyber and physical security, due diligence and investigations. In 2026, Ed also launched SAFE (Security Assistance for Everyone), a pay what you can afford service for low income or vulnerable individuals and families.

Tags: Cybersecuritysecurity
Previous Post

Software before drones: Dutch defence ministry bets on interoperability

Mark Philpott

Mark Philpott

Mark Philpott is a security specialist based in London. After spending the first half of his career working for the UK government, he moved into consultancy advising governments and commercial organisations globally on security matters.

Ed Hare

Ed Hare

Ed Hare started his career in the diplomatic corps. He then moved into consulting, initially training government agencies and then specialising in working with large international technology firms to improve their competitive strategies around AI, big data, cloud and cybersecurity products. Ed also led many cross-border due diligence projects and investigations. As the cybersecurity threat worsened in the 2010s, Ed took charge of security for his small consulting firm. He founded Keosetech in 2022 to help small organisations in high threat sectors such as defence with cyber and physical security, due diligence and investigations. In 2026, Ed also launched SAFE (Security Assistance for Everyone), a pay what you can afford service for low income or vulnerable individuals and families.

Related News

a padlock on a red, blue, and pink background

JLR hack attribution turns spotlight on Britain’s offensive cyber capability

byCarly Page
July 1, 2026

The UK has quietly mounted offensive cyber operations against Russia, according to former British and American intelligence officials cited by...

black flat screen computer monitor

Israel says Iranian cyberattacks triple as hacking groups unite

byCarly Page
June 30, 2026

Iranian cyberattacks against Israel have tripled since last year, according to the country's cyber chief, who says Tehran has turned...

Irish space tech firm Ubotica raises $11M

Irish space tech firm Ubotica raises $11M

byFiona Alston
June 24, 2026

Ubotica, the Irish space tech firm developing orbital AI for satellites, has raised $11 million to scale the commercialisation of...

Dutch semiconductor company is bringing secure, authenticated satellite positioning to handheld devices

Dutch semiconductor company is bringing secure, authenticated satellite positioning to handheld devices

byJohn Biggs
June 23, 2026

For years, authenticated satellite positioning has largely been reserved for expensive, power-hungry systems operating in defence, aviation, and other specialised...

a satellite satellite flying over the earth

Russia is jamming GPS from space

byPaddy Stephens
June 23, 2026

Russia can jam GPS across Europe, and as far west as Canada – and has been doing so for over...

Ukrainian MOD launches TrophyLab for partners to study captured Russian tech

Ukrainian MOD launches TrophyLab for partners to study captured Russian tech

byLuke Smith
June 19, 2026

While Ukraine is expanding the reach of its home-produced UAVs, it is also learning from the enemy. The Ministry of...

Detailed close-up of an illustration from a dollar bill, focusing on intricate line work.

The war you don’t see

byDavid Marksand1 others
June 18, 2026

Anyone who has been caught in a bar fight knows the worst defence is to flail wildly instead of focusing...

A man with a gun standing in the woods

How NATO’s Eastern Flank Deterrence Initiative is turning rhetoric into real capability

byArnel P. Davidand1 others
June 17, 2026

"Innovation" has become one of the most casually abused terms in defence circles. It appears in speeches, strategies, and budget...

Load More

Most viewed

InVeris announces fats Drone, an integrated, multi-party drone flight simulator

Uforce raises $50M at a $1B+ valuation to build defence tech for Ukraine

Auterion, the drone software startup, eyes raising $200M at a $1.2B+ valuation

Palantir and Ukraine’s Brave1 have built a new AI “Dataroom”

Twentyfour Industries emerges from stealth with $11.8M for mass-produced drones

Senai exits stealth to help governments harness online video intelligence

Resilience Media is an independent publication covering the future of defence, security, and resilience. Our reporting focuses on emerging technologies, strategic threats, and the growing role of startups and investors in the defence of democracy.

  • About
  • News
  • Resilence Conference
    • Resilience Conference Copenhagen 2026
    • Resilience Conference Warsaw 2026
    • Resilience Conference 2026
  • Guest Posts
  • Subscribe
  • Privacy Policy
  • Terms & Conditions
  • Mission Statement & Code of Practice
  • Press

© 2026 Resilience Media

No Result
View All Result
  • Home
  • About
  • Subscribe
  • Events
  • Guest Posts
  • Interview
  • News
  • Resilience Conference London 2026
  • Resilience Conference Copenhagen 2026
  • Resilience Conference Warsaw 2026

© 2026 Resilience Media

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.