Follow us on Linkedin: Norton Consultancy

Why Securing Your Supply Chain is Critical to Cyber Resilience

After 30+ years in policing, cybercrime prevention and strategic leadership — and as the author of the Welsh Government report on supply chain cyber resilience — I’ve seen first-hand how supplier vulnerabilities can ripple through entire sectors.

When we talk about “supply chain,” it’s more than your tier-one suppliers. In the context of cyber resilience, your supply chain includes everyone you rely on to buy or sell your products or services — from raw material providers and software suppliers to couriers, caterers, printers, and maintenance firms. Even the smallest or least obvious supplier can become a gateway for attackers.

You are only as strong as your weakest link.

When we look at SME's experience shows there are few organisations that have minimum cybersecurity standards for their suppliers or even consider supply chain considerations in their business continuity or disaster recovery planning. There is a disturbing sense of overconfidence with SMEs believing their suppliers are secure based on little or no evidence.

Despite rising awareness, proactive measures remain low. Many organisations still don’t monitor supplier cyber risks regularly — leaving them exposed to evolving threats.

At Norton Consultancy Ltd, we can work with your organisations to embed supply chain resilience as part of your broader cyber strategy. Key steps include:

  1. Map Your Supply Chain Identify all suppliers — even small or low-value ones.
  2. Impose Minimum Requirements Set baseline cybersecurity standards and include them in contracts.
  3. Integrate Supply Chain Risks into Business Continuity & Disaster Recovery (BCDR) Plan for supplier outages or compromises as part of your resilience planning.
  4. Regular Monitoring & Auditing Don’t just trust — verify. Review supplier security posture periodically.
  5. Educate & Support Suppliers Signpost to free resources and encourage a training program to help them improve their defences.

How Norton Consultancy Can Help

I specialise in helping SMEs, charities, and public-sector organisations understand and manage supply chain risks. Drawing on my experience leading the Cyber Resilience Centre for Wales and authoring the Welsh Government report on SME Supply Chain security, I can provide:

  • Cyber Resilience Strategies tailored to your organisation.
  • Supply Chain Risk Assessments to identify hidden vulnerabilities.
  • Exercising and Scenario Testing to prepare for potential supplier-related incidents.
  • Leadership Coaching to equip boards and executives to make informed, confident decisions.

Conclusion

Cyber-attacks are no longer just a “big company” problem. Supply chains are now a prime target for cybercriminals — and without proactive steps, your organisation may become collateral damage. By embedding supply chain security into your cyber resilience and business continuity plans, you reduce your exposure and protect your reputation.

If your organisation wants to strengthen its supply chain defences and become truly cyber resilient, Norton Consultancy Ltd can help.

📩 Contact me to explore how we can build a secure, resilient supply chain for your organisation.

Blog

“Think Like a Criminal. Defend Like a Professional.” Why Norton Consultancy Takes a Different Approach to Cyber Resilience

In the world of cyber resilience and business continuity, many consultants focus on technology. Firewalls, endpoint detection, encryption, and patching are essential — but they’re only part of the story.

At Norton Consultancy Ltd, I take a radically different approach. Drawing on over 30 years as a Detective Superintendent leading high-profile investigations into cybercrime, fraud, and serious criminal activity, I bring first-hand experience of how criminals think, plan, and exploit human vulnerabilities.

Technology is vital, but criminals don’t just hack systems — they hack people. By understanding the criminal mindset, I help organisations prevent, prepare for, and respond to threats more effectively than traditional, tech-only consultancies.

What are our Key Differentiators?

🔹 Insider Knowledge of Criminal Tactics Deep understanding of how manipulation, deception, and social engineering bypass systems. I know the playbook — because I’ve seen it used in the real world.

🔹 Behavioural Threat Detection Technology can flag anomalies; I teach leaders and staff to spot the red flags and patterns tech alone might miss — because criminals leave behavioural footprints.

🔹 Real-World Crime Prevention Experience Decades of applying law enforcement strategies to prevent and disrupt criminal activity. I translate proven investigative and disruption techniques into practical, digital-age defences.

🔹 Empathy-Driven Training Staff don’t just learn what to do; they understand why criminals target them, how attacks unfold, and how to think like a defender. This builds a stronger, more motivated “human firewall.”

Why This Matters

Most breaches and crises don’t happen because of “sophisticated” tech failures — they happen because people, processes, and leadership weren’t prepared. By combining cyber resilience, business continuity, and leadership training with an insider view of criminal tactics, Norton Consultancy offers a proactive, human-centric approach to resilience.

Remember: Hackers Target People, Not Just Systems.

If you’re an SME, charity, or public-sector body looking for something beyond the typical cyber consultancy, Norton Consultancy is uniquely positioned to help. We don’t just secure your systems; we transform the way your people and leaders think about risk, making your organisation resilient from the inside out.



Why Human Error Still Drives Most Cyber Incidents — and What We’re Doing About It

November 4, 2025

Depending on who you read, between 50% and 80% of all cyber incidents still come down to human error — whether that’s a misplaced click, a weak password, a misconfigured system, or simply someone rushing through their day.

Even with billions invested globally in cyber technology, the weakest link remains the human element. Technology can only go so far; behaviour, awareness, and culture fill the gaps. And if we address this, then the human element can become our strongest asset!

“If we all did the basics, the industry would collapse overnight.”

That was the striking response from one cyber security expert during a recent industry panel, when asked why we’re still not focusing more on education and awareness.

It’s a tongue-in-cheek comment — but it carries a sharp truth. If every organisation mastered the basics of cyber hygiene, from patching systems to spotting phishing emails, the majority of cyber incidents would disappear overnight. And that would change the entire landscape of cyber risk (and arguably the industry built around responding to it).

When cyber incidents happen, the cost isn’t just financial — it’s operational, reputational, and legal.A single compromised account can halt operations, expose customer data, and erode hard-earned trust. Regulatory fines and the cost of recovery often pale in comparison to the damage to confidence and brand reputation.

It’s not an IT issue; it’s a leadership issue. And yet, many incidents trace back to the simplest of preventable human errors — the very area where proactive education and engagement can have the biggest impact. The reality is, good cyber practice doesn’t happen by accident. It’s a matter of leadership, planning, and culture.

Technology can block attacks, but people prevent them. Sustainable cyber resilience depends on:

 

  • Leadership commitment – Setting the tone from the top, making security a shared responsibility.
  • Culture and planning – Embedding security thinking into everyday decisions, not just policies on paper.
  • Training and exercising – Practical, scenario-based learning that builds confidence, not just compliance.

 

You don’t rise to the occasion in a cyber crisis — you fall back on your training!

At Norton Consultancy, we’re helping organisations strengthen their human layer through Executive Briefing Sessions and Staff Training Workshops — designed and delivered by professionals with real experience in cybersecurity, law enforcement, and SME leadership.

Our sessions focus on practical awareness, board-level resilience, and tested response planning — helping you move from cyber-aware to cyber-prepared.

Because in the end, it’s not technology that keeps you safe. It’s your people, your planning, and your practice.

Find out how Norton Consultancy can help build your organisation’s resilience today. Get in touch to arrange your Executive Briefing or Staff Awareness Session or visit www.NortonConsultancy.uk


 

 

 



What will it take for business leaders to truly embrace cyber resilience?

October 2025

Why do so many organisations only take cyber seriously after an attack? A retired cybersecurity expert recently told me:
“Most of my career felt like a battle to get leaders to understand the threat.”

And I’ve seen it too. Budgets appear. Priorities shift. Everyone listens… only once the damage is done. But with the surge in high-profile attacks, we can’t keep waiting for a crisis to wake us up.
Cyber resilience isn’t an IT issue—it’s a business survival issue.

Our latest blog explores why awareness isn’t enough—and what leadership must do now.

Need help turning cyber into a strategic advantage? Norton Consultancy is here to support you.

I recently had a conversation with a retired cyber security expert and as he reflected on his career he commented:  “It often felt like a battle just to get senior leaders to understand the threat.”

Sadly, I’ve seen the same thing throughout my own experience working with organisations. Far too many businesses only take cyber seriously after they’ve been hit. It’s as if the pain of disruption, customer backlash, or financial loss is the only catalyst strong enough to get leadership attention. But why should a crisis be the trigger for change—especially now, when high-profile attacks are reported almost weekly?

Is it lack of awareness? Or is the problem understanding? These days, most leaders know cyber threats exist. They’ve seen the headlines. They’ve sat through risk reports. But awareness is not the same as ownership! Too often, cyber risk is still treated as an IT issue rather than a strategic one; a cost rather than an investment; a compliance tick-box rather than a resilience capability. This leads to reactive spending, delayed decisions, and a false sense of security—until an attack hits……..

It's time to shift the conversation. Cyber resilience is not about building an impenetrable wall—because that wall will be tested. It’s about ensuring the business can survive, adapt, and recover when disruptions occur. True cyber resilience includes creating strong security foundations, incident response and recovery planning, business continuity readiness, constant learning and adaptation and an alignment between technology and strategy

Resilience isn’t a technical function—it’s a leadership responsibility.

The recent wave of major breaches has made one thing clear: No organisation is too big, too small, or too mature to be targeted. So what needs to change?

1. Board-Level Accountability: Cyber resilience must sit at the same level as financial, legal, and operational risk. Leadership must own it, not just hear about it.

2. Metrics That Speak the Language of Business: Tech metrics don’t drive decisions—business impact does. We need to translate risk into pounds, downtime, market share, and reputation.

3. Culture Over Tools: Most breaches don’t happen due to a lack of technology— they happen due to a lack of awareness, process, or ownership. Employees aren’t the weakest link—they’re the first line of defence.

4. Plan for When, Not If: Resilience is not about preventing every attack— it’s about being ready to respond and recover when one occurs.

5. Stop Treating Cyber as a Project: Cyber resilience is not a one-off initiative. It’s an ongoing capability that evolves with the business and the threat landscape.

Leaders don’t need to become cybersecurity experts. But they do need to be curious, ask questions, proactively invest and embed resilience into their business planning. Cyber risk = business risk. Cyber resilience is no longer optional. It’s not just protection—it’s competitive advantage. It builds trust. It preserves operations. It protects the future.

If you’re ready to stop reacting to cyber threats and start building true resilience, Norton Consultancy specialises in helping organisations turn cybersecurity into a strategic advantage.

We work with leaders to assess real business risk, build practical, cost-effective resilience strategies, create incident response and recovery plans, develop a culture of awareness and accountability and to align cyber initiatives with your business goals

Don’t wait for an attack to force change. Let’s build resilience before you need it.

Leading People, Protecting Business: The Human Side of Cyber Security

Over the last ten years, Norton Consultancy’s Managing Director, Paul Peters, has spoken with countless business owners in his former roles as Head of the Regional Cyber Crime Unit and director of the Cyber Resilience Centre for Wales. He has seen first-hand the devastation a cyber-attack can cause. Financial loss, disrupted operations, and reputational damage are well-known consequences—but one critical factor is often ignored: the emotional and psychological toll on leaders and their teams.

Cybercrime Is Not Just About Data—It’s About People

A cyber-attack doesn’t just affect systems. It affects the humans behind the screens—employees, customers, and especially business owners. Common reactions are guilt, shame, or fear—even when the breach wasn’t their fault; pressure to fix the problem fast; and sleepless nights worrying about the future of the business.

After an attack, the business environment can change with employees losing trust in technology, fear of job loss or future breaches, focus and productivity decline and potentially long hours to recover systems leading to burnout. Even once systems are restored, the psychological effects linger. Leaders must rebuild trust with customers and stakeholders while also trying to protect and reassure their team—often at the expense of their own wellbeing.

This is where strong leadership in cyber security becomes critical.

Why does leadership matter in Cyber Security?

We regularly highlight that Cyber resilience isn’t just an IT issue—it’s a leadership responsibility. When leaders set the tone, invest in training, and create a supportive culture, the whole organisation becomes stronger and more resilient. Leaders who are transparent reduce fear and prevent misinformation, whilst having educated employees who feel confident—not anxious—they are far less likely to make mistakes.

When an incident happens, if everyone knows their role, there’s less panic and faster recovery. And culture matters - people report issues early when they don’t fear punishment—this stops attacks before they escalate.

Norton Consultancy’s Unique Approach: Leadership-Driven Cyber Resilience

Unlike traditional cyber firms that focus only on technology, Norton Consultancy puts leadership and people at the heart of cyber security delivering  real-world experience investigating cybercrime, first-hand knowledge of SME challenges, a people-first, training-led approach and support for leaders before, during, and after an incident

It's not just about securing your systems—but helping build confidence, culture, and capability across your entire organisation. Cyber-attacks are no longer a question of if but when. As a leader, YOU set the tone. Your team looks to you for guidance, training, and support.

By investing in cyber leadership and staff development today, you protect:

 

  • Your business
  • Your reputation
  • Your people’s wellbeing
  • Your own peace of mind

 

Take the First Step with Norton Consultancy if you’re a business owner who wants to: build cyber confidence across your team, develop a strong, blame-free security culture, be prepared to lead effectively in a crisis and to protect both your systems and your people

Norton Consultancy is ready to help. Contact us on info@nortonconsultancy.uk

Your people are your greatest asset—let’s protect them together.

©Copyright. All rights reserved.

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.