Reframing resilience

Simon Hodgkinson at Semperis describes the importance of shifting focus from cyber-security to business resilience

 

Cyber-risk has long been dismissed by business leaders as something for the IT team to worry about. But thanks to skyrocketing levels of cyber-crime, the perceived gulf between cyber-security and business risk is finally closing. A proliferation of regulations is also helping to focus minds. The likes of DORA and NIS2 explicitly position cyber-security as a critical enabler of business continuity and resilience.

 

As the business benefits of enhancing security posture become clearer, C-suite perceptions are finally changing. Now it’s time to ensure that cyber-resilience efforts are truly fit for purpose to support the business.

 

An existential test

Business resilience is fundamentally about anticipating risk and ensuring you have the people, processes and technology in place so that the organisation can absorb any future shocks to the system. Few events come close to testing this resilience as ruthlessly as ransomware.

 

The threat has become pervasive across virtually all sectors because it is a highly effective way for threat actors to generate income. According to our 2025 Ransomware Risk Report, over three-quarters (78%) of global organisations were targeted in the past year.

 

The job of ransomware affiliates is made easier by digital transformation investments that have expanded the typical corporate attack surface. Initial access is most commonly achieved via vulnerability exploitation, phishing and use of previously compromised credentials, often harvested via infostealers. But once inside, identity systems such as Active Directory (AD) and Entra ID are a prime target.

 

They provide a fast track to privilege escalation, lateral movement across systems, and data exfiltration. Once inside an organisation’s identity system, an attacker can quickly take control of the entire network, but may remain undetected for long periods—waiting to strike at a time of their choosing. That’s why the best defensive approach is one of zero trust: assume a breach has already occurred, and work to limit the impact.

 

Counting the cost

If the organisation doesn’t have measures in place to block initial access or respond swiftly to an intrusion, the financial, reputational and operational impact can be devastating. We found that around a third (30%) of UK organisations need between one week and one month to resume normal business operations after a ransomware breach. But M&S was unable to process online orders for around six weeks after an Easter attack. The high street retailer claimed the incident is likely to cost it £300m in lost operating profits in 2025.

 

Other “expenses” for corporate victims could include job losses, increased cyber-insurance premiums, and customer churn. It’s perhaps not surprising, then, that so many victims choose to pay their extorters. Yet we found that around half of those that do still experience losses of between $500,000 and $1m (£369,000-£740,000) annually, while 15% fail to receive usable decryption keys.

 

More worryingly, of the 69% of ransomware attacks resulting in a payment, 55% of breached firms paid multiple times over the past year, suggesting that they were revictimised.

 

Payment may soon not even be an option for some in the UK, given the government is planning to ban this option for some public sector and critical infrastructure (CNI) organisations. That should make the case for improving cyber-resilience even more urgent.

 

Building business resilience

In a cyber-security context, business resilience begins with bolstering defences against compromise. But as no organisation is 100% breach-proof, it also demands that plans be put in place so an organisation can continue operating even in the event of a security breach.

 

Start by recognising identity as a tier 0 asset. In most organisations, this means Active Directory (AD), a legacy technology system that holds access controls, permissions, and privileges for all human and non-human identities in the organisation. By compromising this, attackers really do have the keys to the kingdom.

 

That’s why it’s critically important to deploy continuous threat monitoring and mitigation across the entire identity ecosystem. Manage risk across this expansive attack surface through intelligent, automated tools that operate 24/7/365 - mitigating vulnerabilities and flagging suspicious activity.

 

Incident response and recovery is another key pillar to help build corporate resilience. By documenting a comprehensive response plan, the organisation will be quicker to react and contain any intrusions. This should include testing your ability to rapidly wipe malware and restore AD backups to a trusted state. It’s important to remember that adversaries will try to compromise backups in a bid to stay in your environment even after restoring.

 

Finally, don’t forget to test that incident response plan via real-world attack scenarios and tabletop exercises. These get-togethers should include all key stakeholders from across the business - because, as discussed, resilience is not just a matter for IT. If everyone knows what they should be doing when a real incident strikes, recovery efforts will be faster and more effective.

 

Resilience starts with leadership

With this kind of resilience-first mindset in place, cyber-security is no longer a cost centre siloed in the IT department. It’s understood by everyone as critical to the mission.

 

When leadership embraces resilience, you can break down organisational barriers, advance the protection of critical systems, and deliver business continuity, positioning cyber-security at the very heart of business operations.

 

Simon Hodgkinson is a strategic adviser at Semperis. He will be speaking at TeissLondon2025 Resilience, Response & Recovery on Thursday 18 September at 11:30am

 

Main image courtesy of iStockPhoto.com and narvo vexar