UK Organisations Failing to Assess Cyber Risks
A new report from cybersecurity firm Horizon3.ai has revealed that half of UK businesses fail to conduct regular cybersecurity risk assessments, leaving them vulnerable to attacks. The Cyber Security Report 2024/2025, based on a survey of 150 UK organisations, found that only 23% of companies routinely evaluate their IT infrastructure for vulnerabilities.
Keith Poyser, Vice President for EMEA at Horizon3.ai, warns that ignoring cybersecurity assessments poses significant risks, not only from potential cyber threats but also from non-compliance with evolving regulations such as the Digital Operational Resilience Act (DORA) and NIS2 Directive.
Cyber Resilience Requires Ongoing Evaluation
The report highlights a concerning trend: 29% of organisations assess their cyber risks only once a year, an approach that fails to keep up with evolving threats. Meanwhile, 31% acknowledge their shortcomings and plan to address them in the future, but that still leaves many businesses exposed.
The UK government’s Cyber Security Breaches Survey 2024 estimates that UK businesses experienced approximately 7.78 million cybercrimes in the past year alone. Despite this, many companies still take a passive approach to cybersecurity.
Keith Poyser criticises the lack of proactive security measures, stating, “Limiting penetration testing to just once a year is like taking your car for an MOT once every hundred years. The odds of survival are not in your favour.”
A “Head-in-the-Sand” Approach to Cybersecurity
Perhaps most concerning, 13% of businesses do not test their cyber defences at all. Instead, their systems are effectively being tested by cybercriminals, with no internal assessments in place. Furthermore, 11% have no intention of changing their approach meaning they will remain unaware of potential threats until an attack occurs.
Cybersecurity expert Poyser warns of overreliance on defensive security tools such as firewalls and Endpoint Detection and Response (EDR) systems. He explains, “Many organisations assume these solutions alone will prevent attacks, yet they rarely test their effectiveness through penetration testing.”
This lack of testing explains why 23% of surveyed organisations admitted they have no idea whether they have suffered a cyberattack in the past two years. Without proactive security measures, businesses are left exposed to unseen threats.
The Need for a Proactive Security Strategy
The report also reveals a worrying imbalance in cybersecurity strategies across UK businesses:
- 34% rely solely on defensive tools without testing their resilience.
- 21% conduct occasional security exercises but do not maintain a structured approach.
- Only 7% engage in regular Red and Blue Team testing, the industry standard for robust cybersecurity.
- 15% recognise the need for offensive security but lack the internal expertise to implement it.
- 18% rely entirely on external consultants for critical security testing.
Cybersecurity experts stress the importance of penetration testing (pentesting) a simulated cyberattack that evaluates a company’s resilience against real-world threats. 42% of businesses outsource their risk assessments, while just 16% conduct them in-house.
US cybersecurity expert Bruce Schneier famously said, “You can’t defend. You can’t prevent. The only thing you can do is detect and respond.” Poyser echoes this sentiment, stating, “The UK economy relies too much on the assumption that defence systems will work without testing them. We need to move from a defensive mindset to an offensive strategy to combat cybersecurity threats effectively.”
The Future of Cybersecurity: A Call for Action
With new regulations like the Cyber Security and Resilience Bill set to be introduced in Parliament this year, businesses can no longer afford to ignore cybersecurity assessments. As threats continue to evolve, companies must move beyond outdated, reactive approaches and adopt proactive security measures to protect their operations and data.
