Customers, boards and regulators are all in agreement. If cybersecurity breaches are impossible to prevent 100% of the time, the focus must be on improving resilience so that organisations are better equipped to withstand and recover from them. But measuring progress in this area is no easy task. The government’s Cyber Security Breaches Survey is quite detailed. But crucially it doesn’t poll exactly the same organisations each year to check how their posture is evolving.
This is where the government’s Cyber security longitudinal survey comes in. Now in its fifth year (or “wave”) it aims to show how organisations change over time. The findings are illuminating. While there are certainly some positives to take from wave five, the report highlights a propensity for reactive security which stands at odds with best practice approaches.
What’s Going Right (and Wrong)?
The report reveals that most organisations continued to experience some form of “cyber incident” last year: 82% versus 79% the year before. But on the plus side, they are doing something about it. In fact:
- The share of organisations reporting “adherence” to Cyber Essentials increased from 23% to 30% between wave four and five
- The share of businesses with cyber-insurance policies increased from 29% to 35%
- The share of businesses that claimed not to know about insurance fell from 20% to 13%
- Businesses were more likely to report investing in threat intelligence (44% versus 36%)
- Respondents were more likely to perform a cybersecurity vulnerability audit (60% versus 56%)
- Over one-third of organisations (37%) reported an increase in cybersecurity budgets
However, there are also reasons to be concerned. Although the past year saw an increase in adherence to best practice standards and frameworks, a large proportion (37%) of businesses don’t comply with either ISO 27001, Cyber Essentials, or Cyber Essentials Plus.
Supply chain risk management also continued to be a blind spot for many. Just 28% of businesses say they carried out a formal assessment of suppliers in the past 12 months. “Qualitatively, organisations generally lacked awareness about cybersecurity incidents in their supply chains, acknowledging they likely happen without their knowledge,” the report notes.
It also reveals that, although 90% of businesses claim to integrate cyber risk into wider business risk, “this does not always translate into effective budgets or board-level training”.
The Problem with Reactive Security
The biggest issue highlighted in the report isn’t necessarily that efforts to improve resilience aren’t being made by UK firms, because in many cases they are. It’s the way these investments are coming about. The report authors track responding organisations across two different interview cycles (“time point 1” and “time point 2”) – typically across the course of a year – in order to measure longitudinal change.
They found that, over a third (34%) of organisations that experienced an incident with impact and/or outcome at time point 1 subsequently experienced an incident without impact and/or outcome at time point 2. This suggests that either the organisation has reactively improved resilience, or the second incident was not as intrusive.
There’s more. Organisations that didn’t experience an incident in time point 1 didn’t seem to make any proactive changes to improve security posture, potentially suggesting they were waiting for something to trigger positive change. On the other hand, if an organisation did experience an incident, they were more likely to implement positive changes across eight variables including incident response, supply chain risk management and boardroom engagement.
“The unpredictability of cyber incidents being a catalyst for change is a concern,” warn the report authors.
Other examples of reactive security posture include the following findings:
- Organisations are more likely to gain ISO 27001/Cyber Essentials accreditation at time point 2 if they experienced an incident with an impact and/or outcome at time point 1
- Reputational risks were “frequently cited” by respondents as a motivation for change, especially for cybersecurity teams and senior leadership
- “External influences” were a key factor in creating momentum for change, such as the ransomware attacks on high-street retailers last year. “Participants mentioned that these public incidents prompted them to do extra checks or allowed for funding because of the reality of potential impact for their own organisation,” the report says
Barriers to Success
“Reactive security will always leave organisations one step behind. By the time an alert is triggered, the attacker has already succeeded in some form,” SecureEnvoy VP, Michael Downs, tells IO (formerly ISMS.online). “Building resilience proactively, especially at the identity layer, is no longer optional; it’s the only way to reduce risk before it materialises.”
However, if proactive security were that easy, everyone would be doing it. Andy Ward, SVP international at Absolute Security, points to several key barriers.
“One challenge is gaining board and cyber-leadership support to elevate resilience to top levels of governance, with clear strategies for complete operational restoration after a disruption. Without this involvement, proactive measures can be delayed or inconsistently applied,” he tells IO.
“Another key barrier is the rapid increase in devices and software applications, making IT systems more complex and harder to manage. This sprawl makes it difficult to keep systems updated and implement proactive cyber resilience measures across all endpoints.”
Ward also points to funding and access to talent as holding businesses back in these efforts – especially smaller firms. “Many smaller businesses also mistakenly believe they are too small to attract cybercriminals, or that storing data in the cloud automatically protects them,” he adds.
The Journey to Proactive Security
Yet with the right approach, these barriers shouldn’t be insurmountable, argues MetaCompliance CEO, James Mackay.
“Becoming more proactive starts with reframing the goal of security awareness from delivering training to managing human risk,” he tells IO. “Over time, this approach builds a behaviour‑based security culture. Employees encounter security not as an occasional classroom exercise, but as part of their daily work.”
Best practice standards like ISO 27001 can be “powerful enablers” of this reframing as long as they aren’t viewed as a checklist, Mackay adds.
“ISO 27001 expects you to understand your information security risks, implement appropriate controls, and make sure people are competent and aware of their security responsibilities,” he continues. “They set the foundation for how security should be managed across an organisation.”
If more organisations adopt this kind of structured approach, next year’s longitudinal survey may make for more reassuring reading.
Expand Your Knowledge
Blog: The Resilience Factor: Breaking Down the BridgePay Ransomware Attack
