About | Media Literacy | Explainers
The Common Room - Where Education Meets Journalism
Stories / Technology
Technology

UK names 13 Software Security Ambassadors in Jan 2026

4 min read
📅 2026-01-20
📊 The Common Room

On Friday 19 September 2025, check‑in systems at several major European airports slowed to a crawl. Staff wrote boarding passes by hand; passengers queued for hours. It wasn’t an attack on an airport. It was a hit on a supplier - a reminder that software sits behind almost everything we rely on. That real‑world shock framed Minister Liz Lloyd’s speech in London on 15 January 2026 launching a push on safer software. (gov.uk)

When one shared tool fails, many organisations feel it at once. That’s the simple idea behind “software supply‑chain risk”. We buy software the way we buy electricity: we plug in and expect it to work. But the quality of the wiring - how code is built, updated and supported - decides whether simple errors become full‑blown outages.

Here’s the scale. According to the Department for Science, Innovation and Technology (DSIT), 43% of UK businesses identified a cyber breach or attack in the 12 months to late 2024. Fresh government‑commissioned research also estimates cyber incidents now cost around £14.7 billion a year - close to 0.5% of GDP. Those numbers tell us trust in technology isn’t a “nice to have”; it’s part of economic stability. (gov.uk)

Government policy has shifted to match that reality. On 6 January 2026, ministers published a Government Cyber Action Plan - backed by more than £210 million - to improve cyber resilience across public services and coordinate faster incident response through a new Government Cyber Unit. (gov.uk)

There’s a legislative track too. The Cyber Security and Resilience Bill, introduced to Parliament on 12 November 2025, aims to strengthen protections for essential and digital services by updating the UK’s existing NIS rules and bringing more providers - like managed service firms and data centres - into scope. (gov.uk)

Ministers have also tried to change habits in boardrooms. In October 2025 they wrote to FTSE 100 and FTSE 250 companies urging basic steps - including adopting the National Cyber Security Centre’s Cyber Essentials. In November they followed up with an open letter to small businesses and entrepreneurs. That letter highlights data suggesting organisations with Cyber Essentials are far less likely to claim on cyber insurance. (gov.uk)

Now to the new piece. On 15 January 2026, the UK named 13 Software Security Ambassadors - a cross‑industry group including Sage, Cisco, Palo Alto Networks, Lloyds Banking Group, Santander, Accenture, NCC Group, ISACA, ISC2, Nexor, Hexiosec, Zaizi and Salus Cyber. Their job: champion the government’s Software Security Code of Practice and show what “good” looks like in real procurement and development. (gov.uk)

Quick glossary for your classroom or team discussion: a “software supply‑chain attack” targets a vendor or update process to reach many customers at once; “secure by design” means building security into products from day one; and “baseline controls” are the minimum measures we should expect from any supplier. The UK’s Product Security and Telecommunications Infrastructure (PSTI) regime made baseline controls a legal requirement for consumer smart devices from 29 April 2024 - a useful precedent for raising standards. (gov.uk)

So what is the Software Security Code of Practice? Published on 7 May 2025 by DSIT and the National Cyber Security Centre, it sets out 14 plain‑English principles covering how software is designed, built, tested, shipped and supported. The goal is a shared checklist that helps buyers ask better questions and helps vendors explain their security choices clearly. (gov.uk)

What this means for you if you buy software for a school, college, charity or start‑up: ask suppliers to show how they meet the Code’s principles, how quickly they patch serious flaws, and how they’ll communicate during incidents. If you run a small team, Cyber Essentials is a practical starting point that insurers understand and many customers now expect. Ministers say organisations with that badge are markedly less likely to need to claim on cyber insurance - a cost and stress you’d rather avoid. (gov.uk)

AI deserves a special note. The UK’s AI Cyber Security Code of Practice informed a new international standard at the European Telecommunications Standards Institute, announced on 15 January 2026. In simple terms, that means the security steps we teach for AI systems - from design to end‑of‑life - are being written into a shared global reference. For students and engineers, this is a sign that “secure AI” isn’t optional coursework; it’s becoming the rulebook. (etsi.org)

Media literacy corner: the Software Security Code is voluntary, which means progress relies on buyers asking for it and ambassadors modelling it while Parliament debates the Bill. That’s a feature, not a flaw, if we all use it. The airports lesson is clear: when software is part of everyday life, security and communication are everyday duties too - the difference between a smooth morning and a terminal‑wide queue. (gov.uk)

← Back to Stories