On 19 September a ransomware attack against a software supplier rippled across European airports, pausing digital checks overnight. Flights slipped, ground staff reached for paper forms, and families slept on terminal floors. The target was not an airport; it was the vendor sitting between multiple operators and their critical systems.

For UK business, this is not an edge case. Government data says 43% of firms reported a breach or attack in the past 12 months, with annual losses estimated around £15bn, roughly 0.5% of GDP. That is a material drag on productivity. For finance directors, software risk now belongs on the same page as FX, energy and supply contracts.

Policy has begun to respond. The Government Cyber Action Plan, backed by more than £210m, aims to raise resilience across the public sector, while a proposed Cyber Security and Resilience Bill targets stronger protections for critical national infrastructure. Read these moves as the baseline shifting: expectations are migrating from guidance to clauses in contracts.

One lever already available is the Software Security Code of Practice from the Department for Science, Innovation and Technology and the National Cyber Security Centre. It sets out 14 baseline actions for suppliers across development, patching and accountability, and is already in use at the NHS. Yet only 21% of organisations say they consider cyber security when buying software, which is where risk is most often accepted by default.

To push adoption, ministers have launched a Software Security Ambassador Scheme. Thirteen organisations have signed up to champion the Code in real procurement and delivery: vendors Sage, Cisco, Palo Alto Networks, Hexiosec, Zaizi and Nexor; buyers Lloyds Banking Group and Santander UK; and advisors Accenture, NCC Group, ISACA, ISC2 and Salus Cyber. The brief is practical-show what good looks like and help others copy it.

The commercial case is straightforward. According to government figures, organisations certified to Cyber Essentials are 92% less likely to make a cyber insurance claim than those without it. Fewer claims usually means fewer outages and more predictable cash flow. Treated this way, security is a continuity expense that protects revenue rather than a discretionary IT upgrade.

Boards and procurement teams can move quickly without waiting for regulation. Ask suppliers to align with the Software Security Code of Practice, hard‑wire response times and patch windows into contracts, require independent assurance for high‑risk platforms, and name an accountable security owner on both sides. Then rehearse failure together: run a tabletop exercise, verify manual fallbacks and agree who can halt a service at 02:00 if needed.

The UK has depth to support this shift. Cyber hubs in Cheltenham, Manchester, Belfast and across Scotland are producing talent, while the sector is-by government measure-the world’s third largest, growing at double‑digit rates. Standards are exporting too: the UK’s AI Cyber Security Code of Practice has fed into work at ETSI, and the PSTI Act, in force since 2024, set secure‑by‑design rules for connected consumer devices.

For SMEs, the maths is blunt. A day of downtime can exceed the annual uplift on a more secure licence or managed service. For investors, procurement is becoming a filter: vendors that evidence supply‑chain security, rapid patching and clear disclosure are positioned to win enterprise deals in regulated sectors such as finance and healthcare.

None of this replaces the basics-multi‑factor authentication, tested backups and a culture that treats near‑misses as signals to improve. But the dial is moving. Software security is shifting from aspiration to obligation, enforced by contracts and measured in outage minutes. Confidence grows when buying and building are consistent, and that is where growth comes from.