error
Subscriptions are not available for this site while you are logged into your current account.
close
Skip to main content
Submit RFP

      When a North West manufacturer recently lost a week’s production after a single malicious email, the headlines focused on the ransomware gang and customer disruption. What interested me more was the quiet strength in the way the business recovered – a mix of crisis leadership, collaboration, and operational grit. That, in essence, is what cyber resilience is really about.

      Cyber risk itself isn’t new but after two decades of headlines and hard lessons, it remains a daily operational issue for many. It also matters for our region’s growth story. The North West attracted around £650 million of inward investment last year and targets £1 billion by 2026; safeguarding that digital economy is an economic question as much as a technical one. Getting resilience right is a bit like tightening the bolts before a storm, not after – unglamorous when the sky is clear, but critical when the weather turns.

      Yet 2025 still saw record‑high breaches. According to the Department for Science, Innovation and Technology (DSIT), over 600,000 UK businesses experiencing some form of cyber‑attack. So, if cyber risk isn’t new, why do impacts keep rising? And what can we do in the North West to change the trend?

      Martin Tyley
      Martin Tyley

      Partner, Global Lead Cyber Risk Insights

      KPMG in the UK

      Understanding both sides of the risk equation

      Too many organisations still focus 100% of efforts on assessing the likelihood of an attack – how vulnerable they are – and not enough on what the impact would be if one succeeded. That imbalance has structural roots: for years, the cyber security industry has anchored on frameworks and metrics that focus on measuring the effectiveness of technical controls. Yet understanding the potential consequences of a cyber-attack, across Operations, Sales, Logistics and other parts of the organisation is also a critical part of understanding cyber risk and ensuring you act in a proportionate way.

      I believe most companies already have the knowledge they need, they just haven’t connected it across their business yet. Asking simple, scenario‑driven questions such as “What happens if our production line stops for 72 hours?”, “How would lost customer trust affect retention next quarter?” or “What’s the cost of losing access to a supplier’s platform during peak demand?” doesn’t require big exercises or endless meetings. A small number of focused conversations across the right parts of the organisation can turn cyber from an abstract threat into a practical business risk you can plan for.

      Lessons for North West organisations

      From the many resilience exercises we’ve run across Manchester and Liverpool, one theme stands out: the real difference is made before an incident happens. The organisations that invest time in planning – understanding what they would do, what to recover first, and what the wider impact would be – consistently respond more confidently when disruption strikes.

      Here are three lessons that make that preparation count.

      • Rehearse your worst‑case scenario

        Two companies can face the same ransomware attack – the one that has rehearsed has the opportunity to recover within days; the other, within weeks. Building that muscle memory is invaluable, and exercises can take as little as two or three hours. Teams that know who does what, and when, protect not just systems but revenue and reputation. We’ve seen similar stories play out from retail to logistics – very different sectors, but the same pattern: preparation pays off.

      • Know your minimum viable organisation

        Understand the smallest set of functions needed to keep trading — your “minimum viable organisation.” In some sectors, every hour offline means sales you’ll never recover; in others, the impact is slower to appear and it’s possible to tolerate a few hours or even days of downtime, without there being a significant impact to revenues. The key is clarity on which operations, decisions, and people keep the lights on. The National Cyber Security Centre also shared basic but sound advice last year – to store critical contact and recovery information offline, ready for when technology isn’t.

      • Quantify the impact of systems loss

        Downtime isn’t equal. IT may be back in hours, but business losses can ripple for months through fines, lost customers, or delayed deliveries. The important step is to understand where those losses will occur. For some organisations, the main impact will be lost revenue; for others, regulatory fines, and for others the cost of rebuilding technology will dominate. Use tools and data that draw on real examples from organisations similar to your own, where those outcomes are already understood and measured. That context helps translate abstract cyber risk into practical business realities.

      The North West advantage: resilience as a reputation

      Resilience isn’t just a safeguard; it can become part of the North West’s reputation for reliability. Our economy, from advanced manufacturing in Cheshire to financial services in Manchester and logistics hubs across Merseyside, thrives on interconnected systems that demand trust and continuity.

      Lancaster University estimates the region already hosts around 300 cyber security firms employing 12,000 professionals, generating about £760 million in GVA annually. That makes the North West second only to the South East in its capability to manage cyber risk. We have the skills on our doorstep to advise and strengthen our own resilience network.

      Cyber risk isn’t going away, but by measuring, testing, and learning together, we can turn it into a source of confidence and competitive advantage for the North West.

      Get in touch with our team today to discuss how we can help you.

      Our regulatory insights

      Something went wrong

      Oops!! Something went wrong, please try again
      MTD TEST

      Get in touch

      Discover why organisations across the UK trust KPMG to make the difference and how we can help you to do the same.

      Contact us