Header image

Identifying, Surviving, and Recovering from Cyber-Attacks

Learning lessons from the UK Government’s Cyber Security Breaches Survey on the theme of surviving cyber-attacks.


The 2024 Cyber Security Breaches Survey reveals a stark picture of the challenges faced by UK businesses in identifying and surviving cyber threats. As cyber-attacks evolve, businesses—especially large enterprises—are seeing a rise in breaches.

This escalation reflects not only their high-profile status as attractive targets but also their increased awareness of cyber risks. Through sophisticated monitoring tools, audits, and red-teaming exercises, companies are uncovering the threats they face.

Yet, as the survey highlights, there's still a considerable gap between recognition and effective response, recovery, and resilience.

Identifying Cyber Breaches: A Growing Awareness
More businesses are actively probing their digital landscapes for risks, adopting security monitoring tools and conducting regular risk assessments. Large enterprises, in particular, have shown the most progress. With increased investments in cyber risk management, these organisations have gained enhanced visibility into the threats targeting them.

Despite this, the survey data highlights that nearly 50 percent of businesses have experienced some form of breach or attack, with phishing emerging as the predominant vector. However, phishing is not typically viewed as a highly disruptive breach type, which raises questions about the perception of threat severity.

It's possible that organisations downplay the impact of phishing, focusing on its commonality rather than its potential consequences.

The Disconnect in Attack Impact and Recovery Times
The data indicates that phishing is widely reported as the most disruptive type of attack. This is surprising given the relative sophistication of other breach types like ransomware, which can cripple operations. Phishing, while prevalent, is often easier to contain compared to malware or data theft, yet 50 percent of surveyed businesses claim it as the most disruptive.

Here’s where the discrepancy lies. While organisations report recovery times of "less than 24 hours" for breaches, the 2024 IBM Cost of a Data Breach report paints a starkly different picture. It takes an average of 258 days to contain a breach. This suggests that many businesses may not fully understand the depth of their cyber risks or, more likely, under-report the true recovery challenges.

The gap between perception and reality is likely driven by a lack of proper post-breach investigation. Many businesses assume recovery once operations are restored, overlooking the latent damage that attackers could still be leveraging, especially when it comes to compromised data or network vulnerabilities.

Incident Response: A Critical Weakness
When it comes to incident response, the survey shows a worrying lack of preparedness across sectors. Only 21 percent of organisations have a documented incident response plan. The numbers are slightly better in the finance and insurance industries, where 51 percent of companies claim to have a plan in place. Still, this leaves a significant portion of UK businesses without formal recovery plans for cyber incidents.

This lack of preparation is a cause for concern. Incident response plans are vital for minimising disruption, coordinating across departments, and engaging third parties like insurers or regulators.

A well-constructed plan also ensures swift communication with key stakeholders during a breach, a critical factor in mitigating financial and reputational damage. Yet, the survey suggests that organisations struggle to document and formalise these processes. Without a plan, businesses may struggle to return to normal operations, and the claim that over 75 percent of organisations “took no time at all” to recover from their most disruptive attack feels overly optimistic.

Communication is Key
One of the most salient findings in the survey is the importance of communication in incident response. Whether it’s relaying the scale of an attack to senior management or notifying regulators and insurance providers, communication breakdowns can extend the time to recovery and exacerbate the damage.

Organisations are gradually recognising this, with an increasing number prioritising cybersecurity awareness across all levels. However, the focus now needs to shift toward more proactive communication strategies—documenting every phase of a cyber response as they would for any business continuity or disaster recovery plan. This formalisation is key to ensuring the “no time at all” recovery metric becomes a repeatable outcome.

Risk-Based Strategies: A Way Forward

To address these gaps, businesses must adopt more risk-based approaches to cyber resilience. Instead of treating all risks equally, companies need to focus on the threats most likely to disrupt their operations.

Cyber risk assessments should align with broader business priorities, ensuring that security teams and executive leadership are aligned on the severity of potential threats.

Incorporating continuous penetration testing, red teaming, and lessons learned from previous attacks can also drive improvement. Surprisingly, only 21 percent of businesses currently perform formal reviews after an attack. This means that most organisations miss crucial opportunities to identify vulnerabilities and strengthen their defences.

The 2024 Cyber Security Breaches Survey highlights that while many businesses are making strides in identifying threats, gaps in response and recovery remain critical. Organisations must bridge these gaps by adopting robust incident response plans, formalising communication channels, and learning from each attack. Only by addressing these weaknesses can businesses reduce recovery times and mitigate the long-term impact of cyber breaches.

As the threat landscapes evolve, businesses need to evolve their approach to resilience, embracing risk-based strategies that not only identify but also anticipate and survive the next wave of attacks.


Lewis Duke
Lewis Duke SecOps and Threat Intelligence Lead Trend Micro
Lewis Duke
Lewis Duke SecOps and Threat Intelligence Lead Trend Micro

Upcoming Events

No events found.