In this next article, examining the annual government Cyber Security Breaches Survey, we will look at approaches to cybersecurity. This section takes in some of the most common trends in the industry, including risk management, cyber insurance, training and hiring and governance approaches and policies.

The first section takes us into what companies have done, regarding tools, assessments and internal audits. The numbers do not get above 50 percent in any of the results, with 30 percent of businesses saying they “used specific tools designed for security monitoring” whilst 29 percent conducted a “risk assessment covering cybersecurity risks.”

External Testing

Whilst there is the consideration now of conducting exercises to better equip staff in the face of social engineering attacks, and with red teaming playing a part in the DORA regulation, only 15 percent “carried out a cybersecurity vulnerability audit” and 12 percent employed some form of penetration test.

This number does seem to be relatively low, so should it be higher, or can these exercises be time and cost preventative when needing to get an external team in, and in fixing what they find?

Robert Cottrill, technology director at ANS, suspected that cost concerns are likely preventing many businesses from investing in cybersecurity audits and penetration testing, but the price of fixing a breach is almost always higher than preventing one. 

“Organisations with a lot of external facing systems should conduct pen testing at 12-18 month intervals,” he said. “If you’re looking for a guideline on how much time and money to invest in measures, like pen testing, it should reflect the company’s size, sector, and service model. For example organisations within critical national infrastructure and supply chain services might experience a greater level of targeting, due to the sensitive data they manage and high level of disruption which could be achieved.”

Matt Hull, head of threat intelligence at NCC Group, said: “Penetration testing might feel time consuming and intensive for businesses at the time, but it’s an essential component for building long-term cyber resilience. If only 12 percent of businesses are carrying out these tests, it suggests that an overwhelming majority are willing to risk attackers finding their weaknesses, rather than taking proactive steps to identify their own vulnerabilities.

“Whilst testing your cyber resilience can seem costly, being proactive is essential for preventing significant operational disruptions that can have severe financial implications. 

“Do you know where all of your data is stored? Do you know who has access and for how long? Having visibility is crucial, and penetration testing often brings to light forgotten systems, shadow IT, or misconfigurations that may be exposing your organisation. Otherwise you risk downtime, reputational damage, and even more costly cyber incident response, all of which could have been prevented.

Supply Chain

This section also covered supply chain in cybersecurity and after some notable incidents in 2024, you would presume that this would have been pushed up the agenda. Instead, the survey found that relatively few businesses or charities were taking steps to formally review the risks posed by their immediate suppliers and wider supply chain.

It found that just over one in ten businesses said they reviewed the risks posed by their immediate suppliers (14 percent) and under one in ten were looking at their wider supply chain (seven percent).

The survey claims that these questions have been asked since the 2020 study, and remains relatively stable. In 2023, there was an increase among large businesses saying they reviewed the risks posed by their immediate suppliers (55 percent) and wider supply chain (34 percent).

This fell back down to pre-2023 levels in 2024 (48 percent reviewing risks posed by immediate suppliers and 23 percent reviewing the wider supply chain) and continued to remain in line this year (45 percent reviewing risks of immediate suppliers and 25 percent reviewing risks of the wider supply chain).

This may come down to strategy, and that was covered too, as asked if they had a formal cybersecurity strategy in place, 70 percent of large businesses had a document underpinning all policies and processes relating to cybersecurity in place.

This also found that 58 percent of medium businesses had a policy, whilst the proportion of high-income charities that had a strategy in place has fallen from roughly half (47 percent) in 2024 to around four in ten (39 percent) this year.

Among the larger organisations that had a cybersecurity strategy in place, around eight in ten businesses (82 percent) and three-quarters of charities (76 percent) reported that this had been reviewed by senior executives or trustees within the last 12 months.

Cottrill recommended CISOs and senior leadership should review the cybersecurity strategy at least once a year, to ensure it’s keeping pace with evolving threats and aligns with long-term business goals. “That doesn’t mean it should sit untouched in between, instead it should be a living strategy, he said.

“Risk registers and tactical adjustments should be made regularly to reflect the evolving threat landscape. With the rise of AI, attack groups have faster tech at their disposal, so businesses need to meet this with the same amount of energy in their cyber practices. 

“Ultimately, CISOs should be leading their business’s cyber security strategies, so they can feed them into Board meetings regularly. This will allow the wider board to become familiar with the strategy, so they can meet potential risks with confidence, and communicate it widely so the entire business is aligned and works collaboratively to avoid the risk of a cyber-attack.”

Policy in Place

In a similar vein, a third of businesses (36 percent) and charities (35 percent) had a formal cybersecurity policy in place. Whilst these may be part of a wider policy within the organisation, such as the IT policy, 32 percent of businesses, and 23 percent of charities had a business continuity plan that covered cybersecurity.

The survey also found that 79 percent of businesses, and 70 percent of charities reviewed those policies on an annual basis at least.

Fall Back Option

Finally, let’s look at cyber insurance. Is it a solution to cyber issues, a fall back option, or even a business requirement? Well 45 percent of businesses and a third of charities reported being insured against cyber security risks in some way.

However those figures are not very clear, as in most cases, organisations’ cybersecurity insurance was part of a wider insurance policy: only seven percent of businesses and five percent of charities had a specific cybersecurity insurance policy. 

As in previous years, small and medium businesses were more likely to have some form of cyber insurance (62 percent of small businesses and 65 percent of medium businesses). This may be to achieve a balance of cost - and being able to afford it - whilst not having the skills or tools to be able to address all cybersecurity risks internally.

Asked why they did not have it, 34 percent of businesses said it was not a budgetary priority, and 37 percent said they were “not aware of cyber insurance.” Both charities and businesses, 13 percent of each, cited it as being too expensive, and 28 percent of businesses said its “leadership [is] not interested in cyber insurance.”

The survey found that businesses and charities which held cyber insurance rarely made claims, even when eligible. Organisations typically felt that claims were not considered worthwhile overall, primarily due to an unfavourable cost-benefit analysis.

Asked why most businesses do not make claims "primarily due to an unfavourable cost-benefit analysis”, Hiscox’s head of technology Adam Atkins, said: “Some businesses may fail to make claims because they underestimate the financial impact of an attack or don’t fully understand what their policy covers.

“This often comes from a misunderstanding of the broader consequences of an attack, like reputational damage or customer loss, which can be far more expensive than anticipated. In fact, our 2024 Cyber Readiness Report shows 47 percent of businesses that suffered a cyber-attack found it more difficult to attract new customers, with 43 percent losing existing ones. These are the kinds of instances where cyber insurance acts as a crucial safety net for businesses of all sizes.

“Insurance also isn’t just for major incidents like a ransomware attack. Smaller events, such as business email compromise or third-party data mishandling, can be disruptive and costly without insurance. In some cases, businesses might be absorbing these costs internally, not realising that their policy could cover help like legal advice, forensic investigations, and reputational recovery. It’s not always that the cover isn’t valuable – it’s that more education is needed on when and how to use it effectively.”

Also, asked why they did not have it, 34 percent of businesses said it was not a budgetary priority, and 37 percent said they were “not aware of cyber insurance.” Both charities and businesses, 13 percent of each, cited it as being too expensive. Is cyber insurance still seen as a 'nice to have' rather than cyber business essential?

Atkins said: “While some companies still view cyber insurance as nonessential, our 2024 Cyber Readiness Report shows that uptake is growing, particularly among larger businesses. This may be because they recognise their exposure and have more resources to manage risk.

“Investing in strong IT systems and cybersecurity doesn’t make a business immune to attack - which some businesses without cyber coverage may assume. Likewise, smaller firms may wrongly assume they’re too small to be a target, when in fact they’re often seen as easier to exploit. In both cases, cyber insurance plays a vital role in helping businesses recover quickly and minimise long-term damage.”

He claims that the perception of cyber insurance as a ‘nice to have’ is gradually shifting, particularly for businesses that have experienced or narrowly avoided a cyber incident. For them, it quickly evolves from a luxury to an essential part of their risk management strategy. That said, work remains to be done to help more businesses understand the true value of cyber insurance, no matter their size or sector.”

Approaches to cybersecurity vary from company to vertical and whilst there is no one way to resolve everything, there are best practices. Some of these fit within regulatory and compliance frameworks, and therefore are required, whilst others are just a sensible way of working.

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.