London: 4 in 10 (42%) UK businesses still lack a cyber resilience strategy, leaving organisations unprepared ahead of UK Government’s incoming Cyber Security and Resilience Bill, according to new research from Absolute Security.
This research comes as the King’s Speech set out the UK Government’s plans to introduce stricter cyber security requirements through the incoming Cyber Security and Resilience Bill, which will see organisations across all sectors expected to improve preparedness for cyberattacks, report incidents more quickly, and strengthen recovery capabilities.
Despite these incoming cyber regulations, just under half (41%) of UK organisations have not prioritised cyber resilience over traditional prevention, detection and response. This highlights a dangerous preparedness gap between the evolution of modern threats and the defence strategies many CISOs still rely on.
This study of 250 Chief Information Security Officers (CISOs) in the UK is the industry’s first research to provide insights into the state of Cyber Resilience, the challenges enterprises face, and steps security and risk executives can take to overcome them. The findings are now published here.
The urgency for these stricter regulations has been heightened with concerns around AI tools, such as Anthropic’s Mythos model, where emerging technologies could be used to rapidly identify and exploit security vulnerabilities, reinforcing the need for stronger cyber resilience.
Andy Ward, SVP International at Absolute Security, commented: “Cyber Resilience provides the ability to ensure defences are operating effectively and to quickly restore business operations following disruptive cyber incidents and software failures. While it is encouraging to find that many enterprises are moving in the right direction, it is concerning to learn that a high percentage have not yet taken steps to prioritise resilience at the same level as traditional prevention, detection and response.”
“Last year, the NCSC highlighted that the UK are experiencing four ‘nationally significant’ cyberattacks per week, and we’ve seen firsthand how these threats can leave companies with long-term financial and reputational damage. With the rise of new Frontier AI models such as Mythos, we now know that most networks and endpoints are more vulnerable than previously imagined. These two factors and our new research make it clear that cyberattacks are a matter of when not if. In this day and age, security teams require a far more resilient, proactive strategy where prevention alone is not enough,” concluded Ward.
Currently, cyber disruptions are costing UK organisations around $2.48 million per incident, with most experiencing roughly five days of downtime, and nearly a quarter (21%) of UK organisations reported operational disruptions lasting up to two weeks.
The research highlights that the majority (63%) of CISOs have evolved from being responsible for security and risk to leading their organisation’s ability to recover business continuity following a cyberattack, ransomware infection, other security incident, or software failure that stops business operations.
As a result, CISOs are under growing pressure to move beyond prevention-focused security strategies and ensure robust measures are in place to protect business continuity, financial resilience and brand reputation during cyber incidents.
