Understanding who is coming for you and why

The starting point for any credible cybersecurity strategy is understanding intent. Different threat actors have different motivations – financial gain, intellectual property theft, reputational damage, or pure disruption – and those motivations shape how they operate and what they target.

For defence-focused companies, the threat profile is elevated. Operating at the cutting edge of technology makes you a more attractive target, and the line between nation-state actors and organised cybercriminals is increasingly blurred. The tools and techniques used by state-sponsored groups and criminal networks have converged, making attribution harder and the threat landscape more complex to navigate.

What has changed most sharply is pace. The gap between a threat actor gaining access to a system or network and exploiting it has collapsed from hours to seconds. The chain of actions that follows an initial breach is now largely automated. Understanding your specific risk – who is likely to target your organisation, what they want and how they are likely to go about it – is the foundation everything else is built on.

People are still the most exploited vulnerability

Technical controls matter, but the session was unambiguous that people remain the most significant and most underestimated attack surface. Some of the largest and most damaging cyberattacks in recent years were not executed through sophisticated technical breaches. They began with a phone call to an IT help desk and someone sharing information they shouldn’t have. Social engineering – manipulating people rather than systems – is the entry point for a significant proportion of serious incidents.

AI has made this harder to defend against. Phishing attacks are more convincing and harder to identify. Spoofing tools allow threat actors to impersonate individuals and organisations with increasing credibility. Deepfake technology has been used to pass job interviews and gain access to sensitive systems from the inside. The insider threat, whether deliberate or the result of poor judgement, compounds this further.

The response is not purely technical. Training that builds genuine awareness rather than just satisfying a compliance requirement, clear processes for verifying requests and well-designed access controls that limit exposure when something does go wrong are all essential components of a credible people and process strategy.

Navigating the compliance landscape

For companies operating in or moving towards the defence sector, the compliance landscape is both a requirement and an opportunity. Understanding it properly, and sequencing it intelligently, can open doors rather than simply create overhead.

Cyber Essentials remains the UK government’s minimum cybersecurity standard and a sensible baseline for any organisation. Built around five core technical controls and assessed through a self-populated questionnaire, it is achievable without significant cost. Cyber Essentials Plus adds independent technical verification and is increasingly expected for those working with or towards government contracts.

For companies with UK Ministry of Defence (MOD) ambitions, the newly released Cyber Security Model V4 is worth engaging with now rather than when a contract tender arrives. The model introduces four Cyber Risk Profile levels, with Level 3 carrying over 140 individual controls. Critically, these requirements flow down from prime contractors through to subcontractors – meaning that even companies not directly contracting with the MOD may find themselves subject to these standards through the supply chain. DEFCON 660 sets out requirements for handling official and official-sensitive information, and for those operating in NATO environments, STANAG requirements add a further layer of obligation.

David was clear throughout that compliance frameworks are a floor, not a ceiling. Ticking boxes without genuine readiness is compliance theatre – and in a sector where trust and credibility are fundamental to doing business, it carries real consequences. Done properly, compliance is not a burden but a signal of organisational maturity.

Controls and mitigations: understanding the difference

One of the sharpest and most practically useful distinctions of the session was between controls and mitigations.

Controls reduce the probability of an attack happening in the first place. Mitigations reduce the impact when one does. Both are necessary and they require fundamentally different thinking.

On the controls side, the session highlighted phishing-resistant MFA, robust endpoint security, cloud hardening, zero trust architecture, network segmentation and strong secrets management as priorities. Particular attention was given to application and code security – the risks introduced by insecure tools, poor access management and the growing use of AI-assisted development where the security implications of what is being built are not fully understood.

On the mitigation side, the focus was on readiness before an incident rather than improvisation during one. Having tested incident response plans, clearly defined roles, reliable and regularly tested backups and a disaster recovery plan that identifies the minimum viable business are all essential. So is knowing your GDPR notification obligations and the timeline for contacting relevant bodies, understanding how you will communicate externally during an incident and having your cyber insurance provider’s contact details to hand before you need them.

Five principles to carry forward

David closed the session with five principles that apply regardless of where a company currently sits on its cybersecurity journey:

1. Start secure, stay secure – integrating cybersecurity early is always cheaper and more effective than retrofitting it later

2. Understand your specific risk – threat profiles vary significantly by business, sector and ambition

3. Avoid compliance theatre – genuine readiness matters more than the certificate on the wall

4. Maintain readiness – the pace of change in both the threat landscape and the tools available to attackers is accelerating

5. Bring in the experts – knowing when to seek specialist support, whether targeted advice or a fully managed service, is a strength, not a weakness

We extend our thanks to David Collins and Nova Blue Technologies for such a sharp, practical and genuinely valuable session for our community.