London, 30 June 2025 – Cyberattacks have become a major concern for businesses, with their impact stretching far beyond temporary disruptions. As recent high-profile breaches in the retail sector have shown, a single cyber incident can result in widespread operational outages, severe financial losses, and long-lasting reputational damage. With the frequency and sophistication of these attacks on the rise, executive leadership is under mounting pressure to take a more proactive role in managing cyber risk and ensuring their organisations are prepared to respond effectively.
“As cyberattacks become more relentless, automated, and difficult to detect, and as regulatory expectations intensify, the responsibility of business leaders to protect sensitive systems and data has never been more urgent,” said Keith Poyser, Vice President for EMEA at cybersecurity company Horizon3.ai.
The Economic Impact of Cyberattacks
According to the Cybersecurity Report UK 2024/25 by Horizon3.ai, which surveyed 150 organisations across the United Kingdom, nearly two-thirds reported experiencing at least one cyberattack in the past year. Among those affected, 62% suffered outages or downtime, 54% faced ransom demands, 42% experienced disruption to business operations, and 35% had data stolen. These findings demonstrate the wide-ranging and severe consequences of cyber incidents, which contribute directly to rising financial costs.
Recent attacks on major UK retailers such as Co-op and M&S highlight the real-world impact of these trends. The UK Cyber Monitoring Centre labeled these incidents as “Category 2 systemic events.” The breaches are estimated to have caused combined losses of up to £440 million, including legal costs, business interruption, incident response, reputational damage, and customer remediation. In response, cybersecurity experts have warned of a potential surge in fraud across the UK. The incidents have also sparked increased scrutiny from regulators and renewed calls for businesses to prioritize proactive cyber resilience.
When asked to estimate the total economic damage caused by cyberattacks across the UK, respondents to the Cybersecurity Report UK 2024/25 offered a sobering range: 41% estimated losses between £1–50 billion, while others projected figures as high as £300 billion. While opinions varied, recent industry data suggests the actual financial impact may already exceed £44 billion over the past five years—a figure that highlights the widespread, costly, and escalating threat of large-scale cyberattacks.
Proactive Testing: The Key to Cybersecurity Defense
As the scale and complexity of cyberattacks continue to grow, even well-resourced organisations are finding it increasingly challenging to defend against evolving threats. These pressures are exposing the limitations of traditional, reactive security approaches, which often rely on scheduled risk assessments and static controls. To address this, organisations must adopt offensive security—a proactive approach that uses real-world cyberattack techniques to uncover and address weaknesses before they can be exploited.
“An essential strategy is continuous, autonomous penetration testing of IT infrastructures, which uses real-world cyberattack techniques to identify exploitable attack paths before threat actors can target them. Regular testing allows businesses to stay one step ahead of evolving threats and helps ensure their defenses are capable of withstanding sophisticated cyberattacks,” said security expert Poyser.
Techniques such as penetration testing, red teaming, and autonomous attack emulation allow organisations to assess their systems from an attacker’s perspective. This enables teams to identify critical weaknesses, prioritize remediation efforts, and validate the effectiveness of their defenses under realistic conditions.
Understanding the Growing Liability
It is crucial that the responsibility for cybersecurity does not rest solely with IT departments but becomes a central topic in the boardroom. Cybersecurity is no longer just a technical issue; it is a business-critical concern that impacts revenue, reputation, regulatory compliance, and resilience. Senior leadership must be actively involved in shaping and driving the company’s cybersecurity strategy to ensure comprehensive protection across all levels.
Cybersecurity is increasingly viewed as a legal and compliance matter. While UK law does not routinely assign personal liability to executives for cyber incidents, frameworks like the Network and Information Systems Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA) are introducing stronger expectations for board-level governance—particularly for businesses in critical infrastructure and financial services. These frameworks emphasize the role of leadership in ensuring adequate security measures are in place and require boards to demonstrate oversight of risk management processes.
“UK companies working with EU partners must recognize that they are bound by these regulations. With the increasing frequency and severity of cyberattacks, it is anticipated that more such legislation will be introduced. Organisations are strongly encouraged to act now, learn from the missteps of others, and take proactive steps to avoid the potentially severe consequences down the line.”
About Horizon3.ai and NodeZero: Horizon3.ai provides a cloud-based platform, NodeZero, enabling organisations and public authorities to simulate self-attacks on their IT infrastructure to assess their cyber resilience through penetration testing (pentesting). Thanks to its cloud model, the platform offers affordable, regular pentesting, making it
Derick is an experienced reporter having held multiple senior roles for large publishers across Europe. Specialist subjects include small business and financial emerging markets.