Cybersecurity Awareness Month: Waning Momentum as Threats Escalate

Cybersecurity Awareness Month, once a rallying point for British organisations, is now losing its momentum just as cyber attacks grow in scale and sophistication. The recent, high-impact breaches at Jaguar Land Rover and Marks & Spencer lay bare the urgent need for smarter, continuous resilience—well beyond the annual awareness push.

Why Is The Momentum Fading?

Participation in Cybersecurity Awareness Month is on the decline, replaced by “tick-box” compliance measures rather than genuine, ongoing behaviour change. While incidents of cyber attack have soared - average weekly cyberattacks per organisation in the UK have increased by 58% in the past two years - investment in awareness initiatives is not keeping pace.

The increased complexity and ubiquity of AI-powered threats, combined with rapidly evolving attack methods, have left many organisations feeling that month-long campaigns are inadequate for today’s challenges.

​

Case Study: Jaguar Land Rover and Marks & Spencer

The cyber attack on Jaguar Land Rover in 2025 halted global production and retail systems, costing the company an estimated £2.05 billion—the costliest breach ever in the UK automotive sector. Critically, the root cause was not a direct breach, but a vulnerability introduced by a third-party contractor. Attackers exploited compromised contractor credentials to move laterally across systems, highlighting just how exposed extended supply chains can become.

​

Marks & Spencer were similarly left reeling after an attack, traced again to weak controls further down their supply chain. The breach risked the compromise of thousands of customer records and trade secrets, resulting in significant financial and reputational losses.​

These events underscore that even the best internal awareness efforts will fall short if third-party risk is not managed as rigorously as in-house processes.

What do legislators and regulators say?

The Starmer government has responded by placing cyber resilience at the centre of its national security agenda. The new UK Cyber Security and Resilience Bill is set to expand regulatory oversight to include more digital services and supply chain contractors, such as managed service providers, cloud platforms, and data centres. This law will require faster incident reporting, stronger enforcement powers for regulators, and a more strategic approach to proactive risk management.

​

Key components:

• Supply chain risk is a statutory priority: companies must assess and secure third-party access.

• More sectors and suppliers are included in regulation, reflecting the dispersed nature of modern threats.

• The government is working closely with the NCSC to share threat intelligence and equip both critical and non-critical businesses to remain resilient.

​

Why Third-Party Risk Management Matters More Than Ever

Both the JLR and M&S incidents demonstrate the danger of neglected third-party risk management. Recent research shows that 60% of UK data breaches in the past year involved a third-party vendor or supplier. Companies can no longer assume external partners are sufficiently secure—each link in the digital supply chain represents a potential point of failure.​

How RTG Commercial Services Can Help with GRC and Expert Support

At RTG Commercial Services, we understand that effective cyber resilience hinges not only on awareness but on robust Governance, Risk, and Compliance (GRC) frameworks combined with expert, trusted associates for technical support and testing. Cybersecurity is no longer a reactive checkbox exercise but a continuous, integrated business discipline.

RTG specialises in designing and implementing tailored GRC programmes that align risk management with your organisational goals while maintaining operational effectiveness.

Our trusted experts provide:

• Independent penetration testing and vulnerability assessments to uncover hidden risks.

• Continuous compliance monitoring and risk measurement aligned with national standards and evolving regulations.

• Board-level reporting and strategic consultancy to embed security governance deeply within your organisation.

• Integration of third-party risk management to secure supply chains effectively.

Partnering with RTG Commercial Services means gaining not just a service provider but a trusted advisor and hands-on technical partner who works with you to build sustainability, resilience, and confidence against even the most sophisticated cyber threats.

Choose RTG to move beyond awareness towards actionable, expert-driven cyber resilience—protect your business, your data, and your operational future.