Four in every ten UK businesses missing dedicated cyber resilience strategy

The King’s Speech in Parliament set out the UK Government’s plans to introduce stricter cyber security requirements through the Cyber Security and Resilience Bill, which will see organisations across all sectors expected to improve preparedness for cyber attacks, report incidents more quickly and strengthen their recovery capabilities.

Despite these incoming cyber regulations, just under half (41%) of UK organisations have not prioritised cyber resilience over traditional prevention, detection and response. This highlights a dangerous preparedness gap between the evolution of modern threats and the defence strategies upon which many Chief Information Security Officers (CISOs) still rely.

The study of 250 CISOs here in the UK is the industry’s first research to provide insights into the state of cyber resilience, the challenges enterprises face and steps that security and risk executives can take to overcome them. The findings can be read in full online.

The urgency for these stricter regulations has been heightened due to concerns around Artificial Intelligence (AI) tools, such as Anthropic’s Mythos model, where emerging technologies could be used to rapidly identify and exploit security vulnerabilities, in turn reinforcing the need for stronger cyber resilience.

Prioritising resilience

Andy Ward, senior vice-president for international business at Absolute Security, commented: “Cyber resilience ensures that defences are operating effectively and that business operations can be swiftly restored following disruptive cyber incidents and software failures. While it’s encouraging to find that many enterprises are moving in the right direction, it’s also somewhat concerning to learn that a high percentage of organisations haven’t yet taken steps to prioritise resilience at the same level as traditional prevention, detection and response.”

Ward continued: “Last year, the National Cyber Security Centre highlighted that the UK is experiencing four ‘nationally significant’ cyber attacks per week. We’ve also seen first-hand how these threats can leave companies with long-term financial and reputational damage. With the rise of new frontier AI models such as Mythos, we now know that most networks and endpoints are more vulnerable than previously imagined. These two factors, and the results of our new research, make it clear that cyber attacks are a matter of when not if. In this day and age, security teams require a far more resilient and proactive strategy where prevention alone isn’t enough.,”

Currently, cyber disruptions are costing UK organisations around £1.8 million per incident, with most experiencing roughly five days of downtime, while nearly a quarter (21%, in fact) of UK organisations reported operational disruptions lasting up to two weeks.

Business continuity 

The research highlights that the majority (63%) of CISOs have evolved from being responsible for security and risk to leading their organisation’s ability to recover business continuity following a cyber attack, ransomware infection, another security incident or software failure that stops business operations.

As a result, CISOs are under growing pressure to move beyond prevention-focused security strategies and ensure robust measures are in place to protect business continuity, financial resilience and brand reputation during those cyber incidents that do occur.