VUCA in Action: Why Cyber Resilience Can’t Wait
Tuesday 5th May 2026
VUCA - Volatile, Uncertain, Complex, Ambiguous - was coined at the US Army War College to describe the operating environment after the Cold War. Forty years on, it describes the cyber threat landscape facing UK organisations almost perfectly.
Most British businesses haven’t felt the conflict in the Middle East directly. Petrol prices moved. Headlines moved on. But the National Cyber Security Centre has issued a clear warning: UK organisations are indirect targets, particularly those embedded in global supply chains.
The threat doesn’t travel by tanker. It travels at the speed of the network.
What’s actually happening
State-aligned threat actors are targeting cloud identity infrastructure - exploiting weak authentication and over-permissioned accounts as the route into corporate networks. The techniques are familiar: ransomware to paralyse operations, DDoS to overwhelm public-facing systems, supply chain compromise to reach further than any single organisation.
Iranian threat actors are typically considered less technically sophisticated than their Russian or Chinese counterparts. That distinction is meaningless to a business whose systems are down.
The NCSC’s most recent Annual Review puts the average cost of a material cyber breach at around £195,000 - and that figure understates the real damage. The operational drag, the reputational hit, the customer trust that doesn’t come back.
What good looks like
Cyber Essentials has tightened its requirements: mandatory multi-factor authentication, and a 14-day patching window for critical vulnerabilities. These aren’t aspirations. They’re the floor.
But baseline controls aren’t a strategy. Resilience is built on the assumption that something will get through - and the systems, processes, and leadership decisions that determine what happens next.
That’s the harder problem. And it’s the one we want to put on the table.
Watch on-demand: a working conversation on cyber resilience
On 14th April, we hosted a webinar with Crisis Management Expert, Professor Chris Kinsville-Heyne, who was an advisor to governments and FTSE boards on crisis response and Recorded Future, one of the security technology leaders shaping how organisations detect and contain threats in real time.
We covered:
- Where the current threat landscape is heading, and what UK security and risk leaders should expect over the next six months
- How crisis-tested leaders make decisions when the technical picture is still forming
- Practical steps for closing the gap between baseline controls and genuine resilience
- What “good” looks like in the first 24 hours of a serious incident
It’s the conversation we think every UK security and risk leader should be having right now - and we’d rather have it openly than have it after the fact.
Watch on-demand here → When the World Stage Shifts: Your Cyber Security Strategy Needs to Shift Too
If you’d rather talk directly
Bytes has worked alongside UK organisations on cyber security for over 25 years -through every shift in the threat landscape, and most recently as a Cyber Essentials Certified partner with access to more than 25 strategic security vendors. We don’t sell single technologies. We help organisations design the combination that fits their actual risk picture.
If a one-to-one conversation is more useful than a webinar, email [email protected] and we’ll set it up.
The volatility isn’t going anywhere. The question is what you’ve built before it arrives.
Want to keep informed? Sign up to our Newsletter