In today’s interconnected digital landscape, cybersecurity remains a critical concern for businesses and organisations worldwide. The UK Government’s Cyber Security Breaches Survey 2024 highlights the alarming prevalence of cyberattacks, with 50% of businesses and 32% of charities reporting at least one cyber breach in the past 12 months. Medium and large businesses and high-income charities face even higher risks, with over 70% experiencing cyber incidents.

Among these threats, phishing remains dominant, affecting 84% of businesses and 83% of charities that reported breaches. Yet, the landscape is far from static. As Darren Thomson, Field CTO EMEAI at Commvault, explains: “In 2025, we need to be prepared to ride a new wave of existing challenges. Take phishing for example: the 2024 UK Government’s Cyber Security Breaches Survey identifies it as the most predominant attack vector, affecting 84% of those breached. But while phishing itself is not new, cyber-attacks like this have only grown in complexity as attackers exploit six ‘mega trends’ in technology: artificial intelligence (AI), cloud computing, social media, software supply chains, the emergence of homeworking, and the Internet of Things (IoT). These trends collectively accelerate the scale and impact of attacks, making a solely preventive approach redundant.”

Cybersecurity: from prevention to resilience

Traditional approaches to cybersecurity have prioritised prevention, yet the evolving threat landscape demands a paradigm shift. The Cyber Security Breaches Survey reveals that while organisations invest in cyber hygiene—such as using up-to-date malware protection (83%) and implementing network firewalls (75%)—these measures alone are insufficient to counter increasingly sophisticated attacks.

Thomson underscores this necessity for change: “We need a clear pivot towards ‘right of bang’ thinking, shifting focus to what happens after an inevitable breach (the ‘bang’), aiming to build resilience in the centre of business operations. This shift acknowledges that cyber threats are not solely issues for IT departments but for entire businesses. The goal is to become cyber mature – defined by a robust recovery plan, awareness at all levels of the organisation, and with a strategic emphasis on resilience.”

This shift to resilience involves more than just deploying technical solutions. It requires fostering a cyber-aware culture across organisations, where leadership and employees alike understand their roles in safeguarding data and systems.

The costs of inaction

The survey also reveals the financial toll of cyber incidents. The average cost of the most disruptive breach for small businesses is approximately £1,205, rising to £10,830 for medium and large businesses. For charities, the cost is around £460. Despite these figures, only 22% of businesses and 19% of charities have formal incident response plans in place.

This lack of preparation amplifies the risks organisations face. Thomson adds: “A key driver of this strategy for 2025 is the recognition that organisations often lack this resilience in their cybersecurity position. Traditional approaches have prioritised prevention (‘left of bang’) but have not effectively prepared organisations for rapid recovery. Today, however, resilience means having both defensive capabilities and post-attack recovery plans. This requires more than just the latest solutions – it also includes fostering a cyber-aware culture across all levels, from leadership teams who understand the implications of cybersecurity, to employees who recognise their own roles in safeguarding data.”

Cybersecurity: what lies ahead for 2025

As we move into 2025, the survey and expert insights point to an undeniable reality: cyber threats are unavoidable, but their impact can be mitigated through proactive resilience strategies. Larger businesses are leading the way, with 58% having a formal cyber strategy and 63% implementing security monitoring tools. However, smaller organisations must catch up to withstand the growing scale and complexity of threats.

Thomson concludes: “Looking to 2025, the pivot towards a resilience-first strategy in cybersecurity is likely to define success for businesses worldwide. As cyber threats grow in scale and complexity, the emphasis on recovering quickly and effectively is no longer optional – it’s essential. Organisations must adapt to the new normal of unavoidable cyber incidents and take proactive steps to ensure they can withstand and bounce back from potential breaches.”

By prioritising resilience and fostering a culture of cybersecurity awareness, organisations can navigate the complexities of the digital age and emerge stronger in the face of adversity.