Another case for cyber-security investment

Mike Lawrence at Protiviti outlines the revolving risks of cyber-threats to UK organisations

 

The prevalence of recent cyber-security attacks and the damage they have caused is staggering; one estimate puts the toll on UK businesses at over £44 billion in the past five years. While the scale and coverage of attacks are increasing, the challenge of directing the necessary capital to prevent cyber-security incidents is as old as the concept of ‘cyber-security’ itself.

 

Despite considering it the second most important risk to address, leaders (especially non-cyber-professionals) often feel ‘stuck’ and confused about how much to invest, where to invest, and when to do so. Meanwhile, cyber-professionals are equally frustrated that their requests for additional support don’t result in change.

 

This piece sets out why cyber-investment is worthwhile and guides professionals on how to persuade leaders to make sufficient investment.

 

Your house

Let’s imagine a business as a house. This isn’t just any house, it’s a house that everybody knows about and that actively encourages people to step into and examine, hoping they’ll buy something from it. They also know, roughly (sometimes precisely) how much money passes through the house, how much is kept in the safe, the type of information about the people who visit, and the secrets stored in the house (for example, Coke’s original recipe is valued at a cool $488 billion ).

 

All of a sudden, this sounds like an enticing house to visit, especially to would-be criminals looking to make money or a name for themselves.

 

Fifty percent of all businesses surveyed by the UK government reported a breach in 2024 and 74% of large businesses reported one in 2025. 

 

The question is not if we prevent an incident, it is how to prevent the worst, and if they occur, how to recover as quickly as possible while keeping the house open to customers.

 

Whilst most companies will experience an incident, there are risk factors that make certain businesses more vulnerable than others.

 

Business profile

It’s no surprise that a business known for keeping sensitive, valuable data such as credit card details, health information, patent info, or sensitive market information will be a higher profile target.

 

Similarly, does the business in question provide services for well-known, high-profile companies?  Attackers are increasingly targeting providers who integrate systems or accounts with their customers. We have seen this time and time again, and it is a driving factor behind the recent regulatory developments for operational resilience.

 

Back to our original question – why does all this matter?

 

Why is investment worthwhile?

Even companies who are focused on security often learn that greater investment is financially prudent (be it general or domain specific). Marks & Spencer was one of many recent victims in a series of high-profile incidents resulting in a loss of roughly £1 billion in market capitalisation and £300 million in profit, or roughly 34% of adjusted profits for FY2025. Though significant for any business, these losses are particularly difficult in a competitive, low-margin environment.

 

A 2024 study by an insurance broker estimated that implementing cyber-security basics in UK businesses could reduce incident costs by 75% (£30 billion) for the economy over a five-year window.

 

Think also about the human toll of an incident like M&S just experienced - burnout in cyber-security teams is increasingly prevalent and exacerbating an already acute talent shortage.

 

Finally, the regulatory environment is trending towards increased cyber-accountability for executives. In 2023, the U.S. SEC made board-level cyber-knowledge a requirement, mandating public companies disclose how boards oversee cyber-risk. As an example - many boards ask for KPIs like patch compliance. What they should be asking instead is: how long would we survive offline’?

 

Executive ignorance is no longer a defence in the US; Europe and the UK may choose to follow suit.

 

Persuading others

Whilst you may agree this investment is worthwhile, it often remains challenging to convince your peers and board that parting with short-term profit is good business.

 

Those trying to do so must communicate with the business in a way it understands. Typically, this involves some combination of talking about spending, opportunity cost, risk reduction, and impact on critical functions. Each of these can be further categorised into qualitative or quantitative measures.

 

Qualitative: This includes more classic methods of describing risks, typically in ‘RAG’ (Red/Amber/Green) terms. A slightly more nuanced view of this may try to attribute some kind of scoring or grade to denote ‘inside or outside of threshold’, and by how much. Qualitative indicators pair well with industry-recognised standards like NIST CSF and ISO 27001. By design, these are more relatable to less technical professionals. Qualitative terminology is very effective at establishing the need for change.

 

Quantitative: How much change, how fast, and how comprehensive? This is a harder piece to define; quantifying the return on cyber-investment is tricky. You’re justifying spend to prevent something that might happen. But businesses do this often when buying insurance or funding R&D. There are tools to help – frameworks like FAIR (Factor Analysis of Information Risk) can provide structure and help determine your ‘return on security investment’ (RISO) and present it to the business in a way their finance teams will thank you for.

 

A less sophisticated but still impactful approach is to estimate how much an incident could cost. What would one day of downtime cost your business? What happens to customer retention if sensitive data leaks? How likely is all of this with investment versus without?

 

The more your estimates reflect the cost structure of your business, the better.

 

A unique investment

A business – like a house - is unique. Like any home, it requires investments in maintenance, protection and planning for when something goes wrong.

 

Don’t let perfection be the enemy of progress in acting; cyber-incidents are not abstract outcomes. It is a question of when, not if. 

 

---

 

Mike Lawrence is a Director at Protiviti

 

Main image courtesy of iStockPhoto.com and Just_Super