London, December 16 2024 – Cyber security is an increasingly pressing concern for organisations and businesses across the United Kingdom. A recent report by Horizon3.ai, a leading cyber security company, reveals that the threat of cyber attacks is constantly evolving and presents a significant risk to companies of all sizes. The “Cyber Security Report UK 2024/25” surveyed 150 organisations across the UK and highlights the need for companies to strengthen their defences against cyber threats before an attack occurs.
According to cyber security expert Keith Poyser, the common misconception that software can be made completely invulnerable or that conventional cyber security defences are sufficient is a dangerous misjudgement. “Most organisations today use dozens, if not hundreds, of software applications and solutions, creating an expansive attack surface. A vulnerability remains harmless only until a hacker uncovers how to exploit it. Real world exploitable vulnerabilities are chained together to form effective attack paths, with clear business impact,” Poyser warns. This underscores the importance for companies to test their defences from an attacker’s perspective.
The survey findings reveal that almost half of the organisations (48%) regard stolen user and admin credentials as one of the most significant cyber security threats they face. Additionally, 42% of respondents identify insufficiently secured data and/or unknown data stores as a significant potential risk to their organisations. This is a key takeaway from the “Cyber Security Report UK 2024/25” by Horizon3.ai.
The report also reveals that more than a quarter (29%) of companies consider attacks via unpatched but known security vulnerabilities in corporate networks to be a major threat. Another 27% are concerned about incorrectly configured software and/or hardware devices as a source of potential risk. “These issues are a prime opportunity for cybercriminals. At the end of the day, a considerable proportion of the successful cyberattacks are the result of human error,” says Poyser.
To address these growing cyber threats, Poyser recommends continuous penetration testing – self-assessments of an organisation’s infrastructure to identify vulnerabilities and other weaknesses in advance. However, the survey reveals that nearly a third of organisations (32%) do not conduct penetration tests. “Autonomous penetration tests are easy to implement, cost-effective, and most importantly, proactively test your environment from an attacker’s perspective —exactly what is needed in the face of the rapidly increasing cybercrime threat,” argues Poyser.
The “Cyber Security Report UK 2024/25” underscores the growing severity of cyber threats: 69% of the companies surveyed revealed they had fallen victim to a cyberattack at least once in the past two years. The survey, which gathered insights from 150 executives and IT professionals, covers a diverse range of industries and critical infrastructures.
Other potential threats identified by the surveyed executives include: Zero-day and/or N-day vulnerabilities (20%), poor or inadequate security controls (16%), shadow IT—using software or hardware unknown to the company’s IT team (14%), weak and/or unenforced security policies (5%), insufficient security budgets (4%), and little or no attention to security (2%).
“Managers are recognising that a combination of cyber risks within their organisations is becoming increasingly difficult to manage,” says security expert Keith Poyser. In his view, a solution is clear: “Companies must regularly test the security of their IT infrastructures through self-initiated attacks in the form of continuous, autonomous penetration testing that focuses on real world exploitable attack paths, prioritises, shows remediation and then verifies that the attack path is fixed.”
“It is no surprise that Richard Horne of the NCSC recently issued such a stark warning on cyber security,” says Poyser. The new CEO of the National Cyber Security Centre (NCSC) said in a recent speech that cyber risk in the UK is “widely underestimated” and that the gap between the exposure and threat we face and the defenses that are in place to protect us is widening. “The increasing frequency and complexity of these attacks highlights the urgent need for organisations to strengthen their cyber security defences and remediate exploitable weaknesses to protect themselves from financial and reputational damage,” adds Poyser.
If critical data falls into the hands of cybercriminals, it can result in major outages and significant financial losses. This is evident as 62% and 54% of surveyed companies reported experiencing downtime and ransom demands, respectively. Additionally, the costs associated with data recovery are considerable, alongside the extra workload and potential legal ramifications for the business. Data breaches are especially damaging to critical infrastructures, as they can compromise the functionality of vital systems.
The survey also reveals that 66% of the companies surveyed admitted that they have little to no adequate protection against cyberattacks, while only 17% have taken measures but consider them insufficient. Just 9% were confident that their protection against cyberattacks is complete. “These results show that while awareness
Derick is an experienced reporter having held multiple senior roles for large publishers across Europe. Specialist subjects include small business and financial emerging markets.