Cyber-security: cost or strategic necessity?

2025 will be remembered as the year when UK industry giants fell victim to a series of sophisticated, damaging cyber-attacks. Manufacturing giant Jaguar Land Rover, for example, saw its operations go down for several months, contributing to a £485 million loss, while an attack on Marks & Spencer almost wiped out their 2025 H1 profits.

 

However, despite the cost to these businesses dominating the headlines, too many businesses continue to treat cyber-security either as an afterthought or a cost centre. This is rooted in the fact that the value of cyber-security is naturally harder to quantify on an annual basis.

 

The cost centre mentality

Many boards still see cyber-security as an insurance policy, something you pay for and hope never to use. This perception is particularly common in sectors like retail and manufacturing, where high operating costs and tighter margins breed a climate of underinvestment. The opportunity cost of cyber-protection may also hold back expansion or innovation in other areas of the business.

 

Additionally, unlike most Software as a Service (SaaS) tools found in sales and marketing, cyber-security commonly lacks tangible KPIs. You cannot get a true measure of business value from KPIs like “attacks prevented” or “number of vulnerabilities patched”. After all, you might block thousands of low-level spam attempts, then fall victim to a single sophisticated attack that causes massive damage. It also doesn’t account for the previously successful attacks that may be lying dormant in your network waiting to be “switched on”.

 

When even the cyber-security sector is calling out the limitations of these common KPIs, it’s understandable how business leaders fall into the trap of viewing cyber-resilience as intangible and as a cost with no obvious return. This is a damaging mentality that breeds underinvestment, whether in advanced defences or human resources, which leaves businesses unequipped to deal with increasingly sophisticated cyber-threats.

 

The fact that cyber-attacks are in the headlines more than ever, and that major brands are losing hundreds of millions in revenue due to weakened operations, should be enough to shift this mentality. Unfortunately, this hasn’t proven to be the case. And, as a result, these attacks will continue to happen if it doesn’t change.

 

Quantifying the value of uptime

To quantify the value of cyber-security, businesses must understand how it drives value.

 

Take uptime: the essential conditions for generating revenue and profit. Using manufacturing as an example, factory production lines have become increasingly reliant on technology, and every minute of uptime translates directly into revenue. In retail, reliable connectivity for Internet of Things (IoT) is critical to keeping supply chains efficient, ensuring goods move seamlessly from the factory floor to store shelves.

 

However, the growing number of cloud-based applications and IoT devices that underpin operations makes securing operational uptime difficult. The challenge is that every device added to the network increases the attack surface. Securing this web of connected devices was easier when the IT infrastructure was built and maintained on-premises. But now that production lines, supply chains and dispersed workforces rely more on the cloud and IoT, the challenge for network security managers has exploded.

 

And the implications when it goes wrong are huge. Jaguar Land Rover lost hundreds of millions in revenue because their operations ceased to function after it was attacked.

 

Quantifying the value of your data

But it’s not just lost uptime that can cost a business. Many businesses house personally identifiable information (PII) on their customers, suppliers, and employees and have legal obligations to keep it secure. Further to a potentially significant loss of revenue, suffering a data breach can result in fines and further reputational damage, which add to the financial fallout.

 

The 2023 Capita data breach illustrates the enormous risk of exposing sensitive information. Hackers accessed the personal details of 6.6 million people, including financial and criminal record data, as well as information tied to over 600 pension schemes. In 2025, the ICO imposed a £14 million fine, but the fallout didn’t stop there. Law firm Leigh Day has launched a group legal claim on behalf of those affected, seeking compensation for financial loss and emotional distress. This case shows how the compromise of data alone can trigger regulatory penalties, litigation, and reputational harm that can linger for years.

 

Quantifying the remediation effort

When a cyber-attack hits, the financial impact goes far beyond paying a ransom or patching a vulnerability. Rebuilding compromised IT systems often involves forensic investigations, replacing hardware, restoring backups, and implementing new security architectures, often, while operations remain disrupted.

 

The 2025 Marks & Spencer cyber-attack shows how devastating rebuilding costs can be. The retailer reported it expected around £136 million in direct expenses for recovery and professional services, while statutory profit before tax collapsed from £391.9 million to just £3.4 million in the first half of the year. Even with an anticipated £100 million insurance payout, the breach wiped out nearly all profits and forced a major technology overhaul, highlighting how a single incident can derail financial performance and trigger long-term operational challenges.

 

Value-based measurement

If business leaders want their operations, data and bottom line to be resilient from cyberattacks, they need to start seeing airtight security as a growth driver rather than a cost centre. That means looking at cyber-security through the lens of the value it protects and what it allows you to do.

 

Common cyber-security KPIs are not resonating with businesses. It’s critical to shift towards metrics that leaders can understand, such as contrasting the cost of sophisticated cyber-defences with the financial consequences of a cyber-attack. For example, what is the cost to a factory of going offline for ten minutes, an hour, or even a month? How does that compare to shifting from legacy network security practices to modern cloud-based platforms, like SASE, that simplify operations and reduce the risk of downtime?

 

For example, one area of monetary benchmarking is cyber-insurance, which has developed rapidly over the last decade and is quickly becoming one of the drivers for improved industry spend and compliance. Rewarding good practice with lower premiums and mandating minimum viable controls for cyber-insurance eligibility helps to focus company spend to a certain degree. However, it is a long way from being a proxy for justifying detailed spend and the cost-benefit analysis of incremental cyber-security spend against incremental development elsewhere within a business.

 

Cost or strategic priority?

To transform cyber-security from a perceived "cost centre" into a strategic priority, businesses must shift from technical KPIs to value-based metrics. By framing cyber-security as revenue protection, leaders can quantify the value of uptime in an IoT-driven world where downtime equals immediate financial loss. Moving past the "insurance policy" fallacy, where security is treated as a passive expense, is essential to avoid the long-tail liabilities seen in major 2025 breaches. The true costs include years of litigation, regulatory fines, and irreparable reputational damage that simply aren’t worth the risk. It’s time for the industry perception of risk to change.

 

---

 

Jonathan Wright is Chief Product Officer at GCX Managed Services

 

Main image courtesy of iStockPhoto.com and porcorex