Understanding the Cyber Security & Resilience Bill

The Cyber Security & Resilience (Network and Information Systems) Bill marks a significant shift in how organisations are expected to approach cyber risk, including the human element. While the Bill does not create a separate “human risk” regime, it raises the bar on governance, risk management, and demonstrable cyber resilience across people, process, and technology, particularly for organisations providing important digital services or operating in key supply chains. In practice, this means businesses can no longer rely on tick‑box compliance or sporadic awareness training; they must be able to evidence that their people, as well as their systems, are part of a structured, risk‑based defence.

As organisations adapt to these new expectations, they must go beyond simply meeting minimum standards. They need to show consistent progress in reducing human‑driven cyber risks through tailored strategies, realistic testing, and ongoing training that align with their overall cyber risk management approach.

‍

What Is the Cyber Security & Resilience Bill?

The Cyber Security & Resilience Bill aims to elevate cybersecurity and resilience standards across the UK by strengthening and updating the existing NIS framework. It introduces tougher requirements around governance, risk assessment, incident reporting, and regulator powers, with an emphasis on organisations being able to demonstrate that they manage cyber risk in a proportionate, evidence‑based way. Although the Bill does not prescribe a specific “human risk framework”, the human factor is repeatedly recognised by policymakers and practitioners as a critical element of resilience.

As Emma Hollinrake from Phishing Tackle states:  

“Human risk has moved from being a compliance box‑ticking exercise to a priority for boards and shareholders, who now ask IT professionals, ‘What are you doing to protect our brand?’”

The Bill is driving a fundamental shift from reactive to proactive strategies. This change requires businesses to invest in strategic planning that actively addresses human‑driven threats, ensuring employees are equipped to recognise, resist, and report potential attacks as part of a broader, risk‑based security programme.

‍

Key Changes Under the Cyber Resilience Bill: Strategy, KPIs, and Compliance

The Cyber Resilience Bill does not dictate a single template for human risk management, but it does create conditions where regulators, customers, and insurers will expect to see three things clearly: a coherent strategy, meaningful metrics, and demonstrable compliance with risk‑based security obligations. These pillars ensure that organisations treat human risk as an integral part of their overall cyber resilience.

‍

1. Strategy: A Holistic Approach to Human Risk

Under the Bill’s strengthened governance and risk‑management expectations, businesses are increasingly expected to develop a holistic strategy that covers how people, as well as technology, contribute to cyber resilience. This means moving away from reactive responses to incidents and instead crafting a comprehensive plan that addresses human risk at all levels of the organisation. The strategy should incorporate tailored training, role‑specific assessments, and ongoing monitoring of human‑related behaviours and vulnerabilities.

As Emma highlights:  

“Organisations now need a strategy that considers the different departments within their company. For example, the finance department will have different training needs compared to HR because they handle more sensitive data.”

A successful human risk strategy must be adaptive and risk‑based, aligning content and testing to the specific threats faced by different departments and roles. By targeting areas where human error or manipulation poses the greatest danger, such as finance approvals, access to sensitive data, or privileged IT accounts, organisations can strengthen their defences in ways that are directly relevant to the threat landscape.

‍

2. KPIs: Tracking Human Risk Effectiveness

One of the practical consequences of the Bill’s emphasis on demonstrable resilience is the need for organisations to measure the effectiveness of their cyber controls, including those focused on people. While the legislation does not list specific human‑risk KPIs, regulators and auditors will expect evidence that programmes are working in practice, not just existing on paper.

Key Performance Indicators (KPIs), therefore, become an essential tool to track improvements in areas such as training engagement, phishing and social‑engineering simulation results, and users’ reporting behaviour over time. Tracking these metrics ensures that organisations are not just “doing training”, but are actively reducing human risk.

As Emma points out:  

“The KPIs are critical because they show that you are not just doing the training, but that it is effective. If your training completion rate is low or your phishing simulation results show high‑risk behaviours, that is a clear indication that your human risk strategy needs to be addressed.”

By setting clear KPIs and tracking them consistently, businesses can demonstrate continuous improvement, identify higher‑risk groups or departments, and keep their human risk strategy aligned with the evolving threat landscape and regulatory expectations.

‍

3. Mandatory Compliance: No More Excuses

The Bill makes cyber resilience obligations mandatory and enforceable for in‑scope organisations, with strengthened oversight and potentially significant financial penalties for serious non‑compliance. This includes expectations that senior management take ownership of cyber risk and can show that appropriate and proportionate measures are in place, which naturally encompasses how staff behaviour is managed and improved.

As Emma explains:  

“Boards and shareholders are now demanding to know what organisations are doing to protect their data and people. It is no longer just a nice‑to‑have. If organisations fail to comply, the financial and reputational consequences are massive.”

This shift emphasises the need for businesses to invest in proactive human risk management, rather than treating it as an ad‑hoc or purely compliance‑driven task. For IT directors and CISOs in SMB and mid‑market organisations, it means being ready to evidence, in a structured way, how human‑related controls contribute to overall compliance with the Bill’s risk‑based duties.

‍

Expanding Human Risk Management Beyond Phishing

While phishing remains one of the most significant human risk vectors, the modern threat landscape is broader and more complex. Attackers increasingly exploit the full range of communication and collaboration channels used inside organisations, and a modern human‑risk strategy needs to reflect that reality.

‍

1. Emerging Risks and New Threats

Phishing may still be a huge issue, but today’s cybercriminals are finding new ways to target organisations, particularly those that have already improved email security. New technologies and platforms create fresh opportunities to exploit human vulnerabilities, from credential harvesting to social engineering and fraud.

As Emma explains:  

“The landscape has changed. Phishing is still a huge issue, but we are also seeing risks emerge through platforms like WhatsApp and Microsoft Teams. These new attack vectors require fresh training and testing strategies.”

The rise of collaboration platforms, messaging apps, and cloud‑based workflows means businesses must adapt their human risk strategies accordingly. Relying solely on traditional email phishing simulations will leave dangerous gaps in coverage, especially as more internal processes move into chat‑based and mobile environments.

‍

2. The Growing Risk from Collaboration Platforms

Collaboration tools such as Slack, Microsoft Teams, and WhatsApp are now ubiquitous in the workplace, including in SMB and mid‑market enterprises. These platforms make it easy to share files, links, and instructions, but they also create new opportunities for attackers. Criminals can impersonate colleagues, suppliers, or managers to initiate fraudulent requests, share malicious links, or push users into bypassing normal checks, often in fast‑moving conversational threads.

Because these environments feel informal and “internal”, employees may be less cautious, making them a prime target for social engineering. Training and testing must therefore be extended beyond email to cover these newer communication channels, with scenarios that reflect how staff actually work day‑to‑day.

‍

3. Mobile Phishing and Smishing

As mobile devices become deeply integrated into business workflows, smishing (SMS phishing) and mobile‑app‑based scams are on the rise. Cybercriminals send fraudulent messages impersonating banks, cloud services, parcel delivery firms, or even internal departments, tricking users into disclosing credentials, approving payments, or clicking malicious links from their phones.

Organisations must ensure their human risk strategies account for mobile devices and smishing attempts, particularly given the convenience and trust associated with mobile communication. For many SMB and mid‑market businesses, executives and frontline staff are most reachable on mobile, making this a critical vector to address with both training and realistic simulations.

‍

Why Free or In‑House Makeshift Tools May No Longer Make the Grade

In a more demanding regulatory and threat environment, many organisations will find that basic, free, or home‑grown tools are no longer sufficient to support a credible human‑risk programme.

Common limitations of such approaches include:

• Narrow channel coverage, often restricted to simple email phishing, while real‑world attacks increasingly exploit Teams, Slack, WhatsApp, SMS, and other platforms.
• Limited realism, with generic or outdated templates that fail to mirror the targeted, context‑aware attacks facing SMBs and mid‑market enterprises.
• Weak reporting and analytics make it difficult to track behaviour by department or role, demonstrate improvements over time, or present a compelling risk‑reduction story to the board.
• Manual, error‑prone processes that do not scale, leading to inconsistent testing, poor audit trails, and challenges when asked to evidence programmes to regulators, insurers, or major customers.

As expectations rise under the Cyber Security & Resilience Bill, “good faith effort” using improvised tools will look increasingly fragile if an incident occurs and the organisation is required to show how it managed human‑related risk. A dedicated, professionally supported platform is rapidly becoming the defensible standard.

‍

How Phishing Tackle Helps: A Proactive Solution for Emerging Risks

Phishing Tackle offers a comprehensive human‑risk and phishing simulation platform designed to help organisations stay ahead of emerging threats and meet rising expectations for demonstrable cyber resilience. It enables IT directors and CISOs in SMB and mid‑market enterprises to move from ad‑hoc activities to a structured, evidence‑driven programme.

Phishing Tackle helps you:

• Test employees across multiple channels, including email, SMS (smishing), and newer tools such as WhatsApp and Microsoft Teams, reflecting how attacks actually occur today.
• Deliver tailored, role‑specific simulations and training for different departments, such as finance, HR, IT, and executives, so that content aligns with the specific risks each group faces.
• Go beyond simple click rates by providing behavioural insights and trend data, allowing you to identify high‑risk areas, track improvement over time, and prioritise interventions where they will have the greatest impact.
• Automate ongoing campaigns and adaptive training so that human risk is managed continuously rather than as a one‑off annual exercise.
• Produce board‑ready reports that clearly show how your human‑risk programme supports compliance with risk‑based obligations under the evolving regulatory landscape.

This ensures that organisations are ready to tackle both current and emerging human risks effectively, with tooling that stands up to scrutiny from senior stakeholders, customers, insurers, and regulators.

‍

Embracing a Holistic Approach to Human Risk Management

The Cyber Security & Resilience Bill is a game‑changer for businesses of all sizes, including SMBs and mid‑market enterprises. No longer can organisations afford to treat human risk as a secondary concern or rely solely on basic training and improvised tools. Human risk must be embedded into the heart of their cybersecurity strategies and managed as a measurable, continuously improving programme.

By developing a comprehensive human risk strategy, setting meaningful KPIs, and using a robust platform to demonstrate effective controls, organisations can reduce vulnerabilities and strengthen their overall cybersecurity posture in line with rising expectations.

Phishing Tackle provides the tools organisations need to proactively manage human risk, offering multi‑platform simulations, real‑time behavioural data, and targeted training to support compliance and materially reduce human‑driven vulnerabilities.

Get in touch today to learn how Phishing Tackle can help you strengthen your human risk management strategy, satisfy demanding stakeholders, and stay ahead of evolving cyber threats in the era of the Cyber Security & Resilience Bill.