The fundamental question facing cybersecurity professionals today isn't whether our perimeter defences will hold, but rather what happens when they inevitably fail.
After years of observing the evolution of cyber threats, I've become increasingly convinced that the industry's fortress mentality represents not just an outdated approach, but a potentially dangerous one. With ransomware attacks doubling against UK SMEs according to government data¹, we're witnessing a paradigm shift that demands a corresponding evolution in our defensive strategies.
The traditional model of cybersecurity (focused primarily on prevention and perimeter defence) is being systematically dismantled by adversaries who understand that the most effective attack isn't necessarily the most sophisticated one.
.jpeg?width=8476&height=3618&name=AdobeStock_416841080%20(1).jpeg)
The data presents a compelling argument for what security professionals term "assume breach" thinking. Consider the temporal dynamics of modern attacks: ransomware breakout times have accelerated to just 48 minutes on average, with the fastest recorded breach occurring in 51 seconds². This compression of attack timelines fundamentally challenges our ability to respond effectively using traditional detection and response methodologies.
Furthermore, the persistence of social engineering as an attack vector reveals systemic vulnerabilities in our current approach. Phishing continues to dominate the threat landscape, affecting 84-85% of breached UK organisations¹, despite decades of awareness initiatives. This success rate correlates directly with a critical gap in organisational preparedness: only 18% of UK businesses provide cybersecurity training to employees¹.
The sophistication of modern ransomware operations presents perhaps the most concerning trend. Research indicates that contemporary ransomware incidents increasingly target not only primary systems but also backup repositories³. This evolution demonstrates that adversaries have developed a thorough understanding of organisational recovery processes and are systematically targeting the very mechanisms businesses rely upon for resilience.
Recent state-sponsored attacks have demonstrated that even the most robust defensive architectures can be compromised⁴. These incidents serve as a stark reminder that if military-grade networks with virtually unlimited security budgets can be breached, the security assumptions of smaller organisations require fundamental reassessment.
The implications extend beyond individual organisations. When significant proportions of organisations experience cyber-attacks⁵, we're witnessing a systemic failure that suggests our collective defensive strategies are inadequate for the current threat environment.
The disconnect between organisational confidence and actual capability represents a critical vulnerability. Research reveals that whilst more than 60% of organisations believe they can recover from a downtime event within hours, only 35% actually possess this capability⁶.
This overconfidence manifests across multiple dimensions of preparedness:
For UK SMEs specifically, the resource allocation patterns reveal concerning priorities. Over one-third spend less than £100 annually on cybersecurity¹, whilst facing increasingly sophisticated threat actors. This minimal investment contrasts sharply with the substantial costs associated with incident response and recovery.
The financial implications of inadequate preparedness extend well beyond immediate ransom demands. UK SMEs typically encounter significantly higher costs when accounting for comprehensive response activities, including forensic investigation, legal defence, cybersecurity expertise, and ongoing monitoring services. These expenses create extended financial impact that can compromise cash flow sustainability for months¹.
However, organisations that maintain robust incident response capabilities and conduct regular recovery testing demonstrate measurably superior outcomes, saving an average of £2.1 million during disaster scenarios⁸. This differential highlights the economic rationality of investing in resilience capabilities rather than solely focusing on preventive measures.
The transition from prevention-centric to resilience-focused security requires treating backup, disaster recovery, and incident response as primary security controls rather than auxiliary IT functions. This architectural shift acknowledges that modern threats demand convergence between traditional security disciplines and business continuity planning.
Foundational Security Hygiene: Before implementing sophisticated resilience measures, organisations must establish basic security controls. Current adoption rates reveal significant gaps: only 39% of UK SMEs implement two-factor authentication, and merely 34% maintain policies for timely software updates¹. These fundamental controls can prevent many breach scenarios whilst requiring minimal resource investment.
Recovery Capability Validation: Only 54% of organisations maintain documented disaster recovery plans⁸. For organisations lacking formal plans, this represents the immediate priority. For those with existing documentation, regular validation through comprehensive testing becomes essential. Testing procedures should simulate realistic attack scenarios rather than simplified technical failures.
Backup Infrastructure Security: Given that modern ransomware attacks increasingly target backup repositories³, backup strategies require security sophistication equivalent to primary system protection. This includes implementing air-gapped backup systems, ensuring geographic distribution, and establishing secure recovery procedures that can function independently of potentially compromised primary infrastructure.
Human Factor Enhancement: With phishing affecting 84-85% of breached organisations¹, investment in human capability development often yields superior returns compared to additional technological solutions. Training programmes should focus on realistic threat scenarios and practical response procedures rather than abstract security concepts.
The current threat landscape presents UK SMEs with a particularly challenging environment. The combination of resource constraints, skills shortages, and sophisticated adversaries creates conditions where traditional security approaches may prove counterproductive.
Nearly 60% of UK SMEs operate without cyber insurance coverage⁹, creating substantial exposure to potentially business-ending financial losses. This coverage gap, combined with minimal security investment, suggests that many organisations are operating under fundamentally flawed risk assessments.
The solution requires acknowledging that perfect prevention is neither achievable nor economically rational for most SMEs. Instead, organisations should focus on building robust recovery capabilities that enable rapid restoration of operations following successful attacks.
The assume breach approach represents more than tactical adjustment; it constitutes a fundamental redefinition of security success. Rather than measuring effectiveness solely through prevented incidents, organisations must develop metrics around recovery speed, business continuity maintenance, and operational resilience.
For UK SMEs operating in today's threat environment, this shift from prevention-focused to resilience-focused security isn't merely advisable; it's essential for long-term viability. The evidence suggests that organisations investing in comprehensive backup, disaster recovery, and incident response capabilities achieve measurably superior outcomes when facing cyber incidents.
The question for business leaders isn't whether they can afford to implement robust resilience capabilities, but whether they can afford to operate without them in an environment where successful attacks have become statistically inevitable.
Mike Dance is the Cyber Team Lead at TIEVA, where he oversees cybersecurity strategy, implementation, and innovation across customer environments and internal systems. With a background in both hands-on technical roles and leadership within MSP settings, Mike specialises in delivering effective, scalable security solutions. He is passionate about helping organisations strengthen their cyber resilience through practical guidance, strategic thinking, and continuous improvement.
Cyber threats don't wait. Why should you?
If you’re unsure where to start or want to sense-check your current cybersecurity stance, we’re always happy to help. Our cyber consultancy practice can help you stay ahead of evolving cyber threats, strengthen your defences, and build a resilient security posture tailored to your business needs.
1. Department for Science, Innovation and Technology (2025) _Cyber security breaches survey 2025_. Available at: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025 (Accessed: 23 July 2025).
2. CrowdStrike (2025) _2025 global threat report_. Available at: https://www.crowdstrike.com/resources/reports/global-threat-report/ (Accessed: 23 July 2025).
3. Expert Insights (2025) '50 cloud backup stats you should know in 2025', _Expert Insights_, 4 April. Available at: https://expertinsights.com/insights/cloud-backup-stats/ (Accessed: 23 July 2025).
4. IT Pro (2025) 'All US forces must now assume their networks are compromised after Salt Typhoon breach', _IT Pro_, 18 July. Available at: https://www.itpro.com/security/cyber-attacks/all-us-forces-must-now-assume-their-networks-are-compromised-after-salt-typhoon-breach (Accessed: 23 July 2025).
5. Prolion (2025) 'Why you need to "assume breach" for cybersecurity', _Prolion Blog_, 24 March. [_Note: Modified to remove unverified 66% statistic_]. Available at: https://prolion.com/blog/assume-breach/ (Accessed: 23 July 2025).
6. Unitrends (2025) 'The state of backup and recovery report 2025', _Unitrends Resources_, 20 January. Available at: https://www.unitrends.com/resources/the-state-of-backup-and-recovery-report-2025/ (Accessed: 23 July 2025).
7. Expert Insights (2025) '50 cloud backup stats you should know in 2025', _Expert Insights_, 4 April. Available at: https://expertinsights.com/insights/cloud-backup-stats/ (Accessed: 23 July 2025).
8. Invenio IT (2025) '25 disaster recovery statistics that prove every business needs a plan', _Invenio IT Continuity_, 28 April. Available at: https://invenioit.com/continuity/disaster-recovery-statistics/ (Accessed: 23 July 2025).
9. GlobalData (2025) _UK SME insurance survey 2025_. Referenced in Life Insurance International. Available at: https://www.lifeinsuranceinternational.com/analyst-comment/uk-broker-growth-cyber-insurance/ (Accessed: 23 July 2025).
