A new year always brings a fresh impetus to look again at the business’ cybersecurity posture – and perhaps to find ways to strengthen it.
At the tail end of 2024, the UK’s National Cyber Security Centre highlighted the fact that cyber-related risks facing the UK are being “widely underestimated“, the cyber chief warned in their first major speech after last year’s appointment. As businesses evolve and digital threats grow more sophisticated, prioritising readiness has never been more critical. In 2024, only 2% of UK organisations achieved a ‘mature’ level of readiness according to research from Cisco: a 15% drop from the previous year.
There’s every reason to turn this trend around in 2025. If the threats from continuing geopolitical, warfare and cybercrime were not enough motivation; the rapid acceleration and adoption of AI will surely keep the CISO up at night. Fortunately, the security industry doesn’t require any upending. There are globally recognised best practices, widely understood technologies, and well-respected regulations and certifications to support businesses improving their security posture. The difficulty in the management of these threats comes from the limited supply of time, personnel, resources, all of which are in demand throughout a business and the IT organisation that supports them.
Crises are sure to come. Why not practice?
Simulating crises is a very practical way of identifying where ones’ weaknesses lie; whether it be a missing policy, weak controls, or absent documentation of procedures. The outcomes of these exercises provide businesses with a clear view of their vulnerabilities. They then help those businesses develop and act on a list of priorities. Thus, when a real crisis appears the business will be in a good position to blunt its impact.
Start off with some clear questions that you’re looking to test. Online resources or industry consultants can help. However, at first, all you might need to do is give the matter some careful thought. For example,
- What are the most important functions your business needs in order to meet their customers’ expectations and maintain revenue? This would include the people, processes and systems. Answering this question will allow businesses to narrow the focus of what is critical to protect.
- Do your staff know who to contact if they receive a phishing email or suspect a ransomware attack, data breach, virus, or any other IT incident?
- Do the responsible leaders, teams, and service providers understand the steps for investigation, remediation, crisis communications, and any legal responsibilities?
The results of a crisis simulation and the questions it elicits will allow leaders to refine business procedures for a variety of scenarios; from cybersecurity incidents to those in other domains that rely on similar muscles, such as a key vendor going offline, or negative customer feedback going viral.
Lessons from a simulation or test allows one to assign roles and responsibilities in advance, so teams, as well as individuals, know exactly what to do when under pressure. Additionally, practice of response procedures will build confidence, and staff will feel prepared rather than panicked in the event of a real crisis.
Build a company-wide culture of cybersecurity and test/measure it
Cultural change is a major lever in making anything happen across any domain.
For cyber security to be seen as important to a business, an organisation needs to craft the message that security is everyone’s responsibility (not just IT’s); and that for it to be effective, everyone plays an important role. Most security leaders will agree that most places and people assume that ‘someone else’ handles security and it isn’t really something to worry about.
This attitude often leads to employees who either created a security incident or are involved in one to ‘pass the buck’ to the technology organisation. This is a damaging mindset that will perpetuate a weak security posture.
Social engineering, particularly phishing, remains the most significant threat for all businesses. Many lack dedicated security teams, thus making employee awareness even more crucial.
Security teams should explain the most common tactics used by cybercriminals to everyone in the organisation. This means employees are, more average, more likely to spot a scam and report it. Follow-up training is important for people to remain sharp. Without practice, people will eventually succumb to social engineering attacks, as they continue to become more and more convincing. It’s worth checking out the information on the NCSC.
If your gut reaction is to think ‘we’re above average intelligence, we won’t be scammed’ you should disabuse yourself of that notion. There are scores of statistics showing that bad actors successfully hack, phish, or attack thousands of businesses each year. Those businesses suffer enormous damage to their reputation and revenue.
Recognise that “the basics” when it comes to cybersecurity tools have changed
Some practical technologies that have become ‘non-negotiable’ security include antivirus/anti-malware, multi-factor authentication (MFA), and phishing defences in email platforms.
These are relatively simple foundational security measures that, when applied properly, cut out many common threats. Antivirus is not a comprehensive solution to all risks. Modern threats, particularly social engineering, require more robust defences like MFA. Cyber teams also need to continuously educate employees, as modern attacks use many techniques to evade detection, including some that don’t use viruses at all. Simulating, as mentioned, and surprise testing or ‘red teaming’ exercises, really cultivate a culture of vigilance, encouraging employees to be suspicious of unexpected requests or unfamiliar communications.
The explosion in AI has benefited the cybercriminal as they are able to quickly and easily create more convincing and sophisticated threats. AI is also helping the cybersecurity industry by introducing a high level of automation in security defences. However, even with AI, some human oversight will still be necessary to validate controls are working as intended.
Clearly, while more sophisticated and comprehensive security solutions can reduce risk more effectively, SMBs without the luxury of enterprise resources can still raise their cybersecurity posture by using resources provided by governmental cybersecurity agencies. Most provide standards, checklists and resources that can help any business to evaluate their preparedness and implement procedures for identifying, slowing, and hopefully, stopping risky activities.
Be concerned, but not alarmed
The cybersecurity industry is a big business, and its marketing relies on pointing out the very real risks that bad actors and their actions can bring on to anyone. In addition, if one were to read security industry articles, it can make for a great deal of doom and gloom for the smaller business who may not have a CISO, large IT staff, or the latest and greatest security technologies.
Have realistic expectations. No security system can guarantee 100% success in stopping all threats. However, even a modest budget and the right information and culture can create robust security measures and significantly reduce the likelihood and impact of an incident, attack, or breach.
- Cybersecurity
