UK Organisations Neglecting Cyber Risk Assessments Despite Growing Threats, According to Cybersecurity Report
London, UK – A recent report by cybersecurity company Horizon3.ai has revealed that at least half of UK organisations are neglecting to assess their operational cyber risks. The report, titled “Cyber Security Report 2024/2025” and conducted by Horizon3.ai, surveyed 150 UK organisations.
According to the report, only 23% of the companies regularly conduct risk assessments of their IT infrastructure to determine their vulnerability to cyberattacks. This neglect is concerning, especially given the increasing threats in the cybersecurity landscape and the requirements of regulations such as DORA and NIS2.
Keith Poyser, Vice President for EMEA at Horizon3.ai, raises a key concern: “Regular assessment of operational cybersecurity is essential to meet both current and forthcoming legal requirements for IT security. This includes the Cyber Security and Resilience Bill, set to be introduced to Parliament this year, alongside European regulations like the Cyber Resilience Act (CRA), which also impact UK organisations working with EU partners.”
Poyser adds, “Moreover, ongoing evaluations are the only effective way to mitigate the potentially severe consequences of cyberattacks. Companies that neglect to assess their cyber resilience are knowingly putting themselves at considerable risk.”
The report also highlights that nearly a third of organisations acknowledge their weaknesses in this area. While 31% currently do not conduct cyber risk assessments, they intend to address this gap in the future. However, 29% perform assessments only once a year, which is insufficient to stay ahead of evolving threats.
The government’s Cyber security breaches survey 2024* estimates that UK businesses had experienced approximately 7.78 million cybercrimes of all types within 12 months. Poyser warns, “Limiting penetration testing, getting a true attacker’s perspective of your computing and cloud environments to just once a year borders on negligence.”
The report also reveals that 13% of companies do not test their defences against cyberattacks at all, leaving them vulnerable to potential attacks. Poyser criticises “a widespread head-in-the-sand-approach to cybersecurity” in many organisations and explains, “Businesses install common defensive devices like firewalls, Endpoint Detection and Response (EDR), Cloud Native Application Protection Programmes (CNAPPs), and similar defensive security tooling, then simply rely on them to keep all types of attacks away from their environments.”
The report also highlights a concerning imbalance in cybersecurity strategies, with 34% of companies solely relying on defensive measures without actively testing their resilience. Only 7% regularly engage in structured Red and Blue Team testing, and 15% recognise the need for offensive security but lack the know-how to implement it.
In light of these findings, Poyser urges organisations to shift from a defensive to a more proactive offensive approach to tackle cybersecurity crises. He also stresses the importance of regular risk assessments, stating, “The UK economy relies far too heavily on the assumption that defense systems will work when needed, without systematically verifying their effectiveness.”
The report also notes that among companies that conduct annual or periodic evaluations, 42% bring in external service providers, highlighting the reliance on external expertise in the industry.
Horizon3.ai, through its cloud-based platform, NodeZero, aims to provide affordable, regular pentesting to organisations and public authorities. The platform continuously monitors the cybercrime landscape and offers tailored recommendations for remediation.
Trademark notice: NodeZero is a trademark of Horizon3.ai.
For more information, visit www.horizon3.ai.
* https://ots.de/pTA7ra
Derick is an experienced reporter having held multiple senior roles for large publishers across Europe. Specialist subjects include small business and financial emerging markets.