He cites findings from Horizon3.ai's “Cyber Security Report 2024/2025”, which surveyed 150 UK organisations. The report reveals that only 23% of the companies regularly conduct risk assessments of their IT infrastructure to determine how vulnerable they are to cyberattacks.
Industry veteran Keith Poyser raises a key concern: "Regular assessment of operational cybersecurity is essential to meet both current and forthcoming legal requirements for IT security. This includes the Cyber Security and Resilience Bill, set to be introduced to Parliament this year, alongside European regulations like the Cyber Resilience Act (CRA), which also impact UK organisations working with EU partners. Moreover, ongoing evaluations are the only effective way to mitigate the potentially severe consequences of cyberattacks. Companies that neglect to assess their cyber resilience are knowingly putting themselves at considerable risk."
Cyber Resilience Requires Regular Maintenance
Nearly a third of organisations acknowledge their weaknesses in this area, according to the survey. While 31% currently do not conduct cyber risk assessments, they intend to address this gap in the future. However, 29% perform assessments only once a year, a quickly out-of-date snapshot, which is insufficient to stay ahead of evolving threats.
The government's Cyber security breaches survey 2024* estimates that UK businesses had experienced approximately 7.78 million cyber crimes of all types within 12 months. "Limiting penetration testing, getting a true attacker’s perspective, of your computing and cloud environments to just once a year borders on negligence," warns Poyser. He offers a striking analogy: "It’s like taking your car for an MOT once every hundred years. It might survive the century, but the odds are far from being in your favour."
Head-in-the-Sand Policy on Cybersecurity
According to the study, 13% of companies do not test their defences against cyberattacks at all—leaving them to be "tested" only by an actual attack. Furthermore, 11% have no plans to change this approach in the future. The remaining respondents either saw no need for such measures, were unable to provide an answer, or stated in the survey: "We are not aware of any cyber risks."
Cybersecurity leader Poyser criticises "a widespread head-in-the-sand-approach to cybersecurity" in many organisations. He explains: "Businesses install common defensive devices like firewalls, Endpoint Detection and Response (EDR), Cloud Native Application Protection Programmes (CNAPPs), and similar defensive security tooling, then simply rely on them to keep all types of attacks away from their environments. Penetration tests to assess the effectiveness of these measures are rarely carried out." This could explain why 23% of the organisations surveyed admit they have no idea whether they have suffered a cyberattack in the past two years.
From Defensive to Proactive: The Key to Cybersecurity Success
The survey reveals a concerning imbalance in cybersecurity strategies and suggests that the lack of preparedness in cybersecurity may stem from passive and uncertain approaches to security strategies. 34% of companies reported that they solely rely on defensive measures without actively testing their resilience, while 21% at least conduct occasional offensive exercises. Only 7% regularly engage in structured Red and Blue Team testing, and 15% recognise the need for offensive security but lack the know-how to implement it. Meanwhile, 18% delegate these crucial tasks to external consultants. This reactive mindset leaves many organisations exposed to potential cyber threats.
This reliance on external expertise extends to risk assessments as well. Among companies that conduct annual or periodic evaluations, 16% handle them in-house, while 42% bring in external service providers. A pentest involves a full-scale simulated cyberattack on a company’s IT infrastructure to test its resilience against real-world threats. As US cybersecurity expert Bruce Schneier aptly put it, "You can't defend. You can't prevent. The only thing you can do is detect and respond."
Cybersecurity expert Poyser confirms: "The UK economy relies far too heavily on the assumption that defense systems will work when needed, without systematically verifying their effectiveness. We need to shift from a defensive to a more proactive offensive approach to tackle cybersecurity crises."
