What happened?
New findings published over the past few days have highlighted a challenge many organisations already suspected: cyber attacks remain a routine business risk across the UK.
According to the latest UK Cyber Security Breaches Survey, 43% of UK businesses and 30% of charities experienced a cyber breach or attack during the last year. Medium-sized and large organisations reported even higher levels of exposure. Phishing remains the most common attack method, while ransomware and other forms of cyber extortion continue to evolve.
Separate reporting has also highlighted concerns that many ransomware incidents never become public. Some estimates suggest the majority of attacks remain undisclosed, creating a gap between the cyber threats organisations face and what regulators, customers and suppliers can actually see.
The message is clear: cyber attacks are no longer exceptional events. They are a normal operational risk that organisations must actively manage.
Why it matters
For many organisations, cyber security is still viewed primarily as an IT responsibility.
That approach is becoming increasingly outdated.
When a cyber incident occurs, the consequences rarely stay within the IT department. Operations can stop. Customer services can be disrupted. Supply chains can be affected. Personal data may be exposed. Regulatory reporting obligations can arise. Reputational damage can spread quickly.
The Information Commissioner’s Office continues to emphasise that organisations must have appropriate technical and organisational measures in place to protect personal data and respond to incidents effectively. Under UK GDPR, qualifying breaches must be reported within strict timescales.
At the same time, government proposals aimed at strengthening cyber resilience and incident reporting indicate that regulatory expectations are continuing to increase.
This means cyber resilience is no longer simply a technology issue. It is a governance issue.
Boards, leadership teams and public sector decision-makers are increasingly expected to understand:
- their cyber risk exposure
- their incident response capabilities
- their supplier and third-party risks
- their ability to recover from disruption
- their compliance obligations
The organisations that perform best are often not those with the largest cyber budgets. They are the organisations with the clearest governance, accountability and preparedness.
What good looks like
Effective cyber resilience starts with visibility.
Organisations should understand what systems they operate, where critical data is stored, who has access to it and which suppliers create potential risks.
Good practice typically includes:
Board-level ownership
Cyber risk should be regularly discussed alongside operational, financial and regulatory risks.
Documented incident response plans
Teams should know exactly what happens if systems are compromised, data is exposed or operations are disrupted.
Regular testing
Plans should be exercised through simulations and practical testing rather than sitting unused in a policy folder.
Supplier assurance
Third-party providers often create significant cyber exposure. Assurance and monitoring should extend beyond internal systems.
Staff awareness
Many successful attacks begin with human error. Training and awareness remain among the most effective controls available.
Continuous improvement
Cyber resilience is not a one-off project. Threats, technologies and regulatory expectations continue to evolve.
What to do now by audience size and sector
Small businesses
Focus on fundamentals. Enable multi-factor authentication, maintain software updates, implement secure backups and train staff to identify phishing attempts.
Mid-sized organisations
Review incident response plans, supplier assurance processes and governance arrangements. Ensure cyber risks are reported to senior leadership in a structured way.
Large organisations
Consider independent cyber assurance reviews, resilience testing and board-level exercises. Review third-party dependencies and critical supplier exposure.
Public sector organisations
Assess compliance against current guidance, strengthen supplier oversight and ensure incident reporting procedures are clearly understood.
Regulated sectors
Review whether governance arrangements, documentation and assurance activities would withstand regulatory scrutiny following a significant incident.
How TPMG helps
TPMG supports organisations through Cyber & Data Assurance, Internal Audit & Risk Assurance, Incident Recovery and Policy Shop services.
We help organisations understand cyber risks, strengthen governance, review policies and controls, test resilience arrangements and improve preparedness before incidents occur.
Our focus is practical assurance that helps organisations build confidence, improve resilience and demonstrate effective governance to customers, regulators and stakeholders.
