Cyber resilience has emerged as one of the key areas of focus for the cyber-industry of the past few years. Even the government has cited it in a critical piece of pending legislation. But achieving it is proving somewhat difficult for the UK’s six million businesses. If the latest Whitehall research is anything to go by, the distance between the industry’s ambitions for resilience and what organisations are actually achieving remains considerable.
This year’s Cyber security breaches survey is out. And its proof once again that the nation’s businesses are treading water when it comes to their cyber-resilience efforts. Only half (57%) of mid-sized firms and three-quarters (74%) of large businesses even have a security strategy in place – virtually unchanged from last year. There’s much work still to be done.
The Journey to Resilience
Resilience is about reframing cybersecurity against the backdrop of a volatile threat landscape, growing regulatory scrutiny and insatiable boardroom demands for digital investment. In a world where the cybercrime economy is worth trillions, the National Cyber Security Centre (NCSC) is dealing with four “nationally significant” attacks per week, and billions of compromised credentials are circulating, security teams have to accept that no organisation is 100% breach proof.
In this context, the focus shifts beyond prevention to being able to prepare, respond, recover and learn from any attacks that do sneak through. This matters more than ever as attack surfaces expand with an explosion of IoT devices, AI agents, chatbots and LLMs – many of which are being used without the knowledge of IT. The IO (formerly ISMS.online) State of Information Security Report 2025 reveals that a third (34%) of respondents are concerned about shadow AI over the coming year, one of the most popular answers.
What the Government Found
True resilience demands layered defences. Unfortunately, the government’s latest breaches report reveals that many organisations are not putting the basics in place. Here are some of the headline findings:
Staff training and awareness raising: Although the share of respondents engaging in these activities increased for the largest firms (from 76% last year to 84% this) overall it remained stuck at a disappointing 19%.
Risk assessments: A very small annual increase in the number of respondents conducting cybersecurity risk assessments, among mid (57% to 62%) and large (70% to 72%) businesses. However, the overall figure remained virtually unchanged at 30%.
Supply chain risk management: Less than a third (30%) medium-sized firms and half (48%) of large businesses review the cyber risks posed by immediate suppliers. That’s almost unchanged from last year’s 32% and 45% respectively. For the wider supply chain, the figures were even lower: 13% and 24% versus 15% and 25%. Overall, just 15% of businesses reviewed their immediate suppliers and 6% the wider supply chain – around the same as last year (14% and 7%).
Insurance: Half (47%) of businesses say they are insured against cyber risk, rising for medium-sized firms (61%). This is broadly in line with last year (45% and 65%). However, more worryingly, just 10% say they have a specific cyber-insurance policy in place, and over a fifth (22%) don’t know at all. Both stats were similar to last year (7% and 20%).
The board: Cybersecurity is considered a “high priority” for senior management in 72% of respondents. But is it really? Board-level responsibility for it increased just slightly, from 27% to 31%.
Incident response: The share of respondents with a formal IR plan was virtually unchanged (25%), as were the figures for medium (53% to 57%) and large (75% to 76%) businesses.
Awareness of government initiatives: More respondents than last year say they’ve heard of government schemes like Cyber Aware (24% to 30%), the 10 Steps guidance (12% to 17%) and Cyber Essentials (12% to 17%). But these figure, and those for the newer Software Security Code of Practice (22%) and Cyber Governance Code of Practice (16%) are still way too low.
What’s more, the share of respondents holding Cyber Essentials has increased only slightly, from 3% to 5% overall, and from 21% to 35% for large businesses.
AI: Around a fifth (21%) of respondents say they adopted some AI tools in the organisation. Yet nearly half (45%) claim AI is not relevant to their organisation.
Moving Beyond Tick-Box Security
Cybanetix CTO, Merlin Gillespie, tells IO that the report once again illustrates two realities: larger firms are broadly competent while their smaller peers are exposed.
“The standard prescription is well rehearsed. Adopt an assume-breach posture, write a tested incident response plan with clear escalation paths, deploy a bunch of security controls, MDR, identity management, authentication hardening, and start formally reviewing your supply chain,” he explains.
“All of which are the right answer for businesses with a formalised security function and resources capable of executing. The problem is that this prescription assumes a capacity that most UK businesses don’t have.”
Richard Groome, OT cybersecurity specialist at e2e-assure, is concerned about poor incident response capability. “Most businesses can escalate internally, but only a third have clear external reporting processes. That’s not resilience, that’s reaction,” he tells IO.
“Businesses need to move beyond tick-box security and focus on observability and operational resilience. This requires continuous monitoring, faster detection and incident response that’s actually been tested, not just documented. With 24-hour reporting requirements coming in you can’t respond to an incident you haven’t detected. Visibility and speed are critical.”
Dan Lattimer, EMEA VP at Semperis, adds that identity must be a part of any incident response plan. “Investing in identity monitoring and recovery alongside prevention is essential to reducing downtime, repeat incidents, and long‑term business damage,” he says. “Incident response without identity recovery is incomplete response.”
Formalising Best Practices
Despite low awareness and take up of best practice standards and frameworks, these can be a useful ally in the push to improve cyber resilience, according to other experts IO spoke to. Graeme Stewart, head of public sector, UK&I, at Check Point, describes the report’s findings as a “wake-up call” for organisations of all sizes.
“The magic triangle of people, process, and technology all need attention. Staff need to be informed and aware. Processes must be robust, covering both prevention and post-incident response, and technology needs to be properly patched, correctly used, and kept up to date,” he tells IO.
“Frameworks like Cyber Essentials, ISO 27001, and NIST guidance provide vital guardrails, particularly for smaller organisations whose leadership are not cyber experts. These frameworks give businesses a structured path forward, and that’s genuinely positive progress.”
Huntress vCISO Muhammad Yahya Patel, agrees. “Frameworks such as Cyber Essentials and ISO standards are valuable because they provide a consistent, governed approach to managing controls, risks, and policies,” he tells IO. “Cyber Essentials in particular focuses heavily on foundational hygiene controls and the reality is that many of the attacks we see today succeed precisely because those basic controls are not in place.”
In our report on last year’s survey we also noted how resilience efforts had stalled across UK PLC. Hopefully we won’t be saying the same thing yet again next year.
Expand Your Knowledge
Guide: The State of Information Security Report 2025
Blog: Closing the Resilience Gap: Where the Government Says UK PLC is Still Failing
