Cybersecurity under threat: new study exposes 'security chaos'

For the report, a sample of 100 UK-based companies was surveyed. According to the findings, 53 percent of companies reported a specific incident of damage. 16 percent detected a hacker attack but claimed to have successfully defended against it. 23 percent of the companies contacted by Horizon3.ai were unsure whether they had been the victim of a cyberattack in the past 24 months. Only 8 percent of companies stated, "We are certain that we were not attacked."

Nearly Half of Companies Targeted by Two or More Cyberattacks

Nearly half of the companies (44 percent) were targeted by a cyberattack twice or more during the two-year period examined, according to the "Cyber Security Report UK 2024/2025.

"The true extent of the issue is likely far greater," warns Keith Poyser, Vice President for EMEA at cybersecurity firm Horizon3.ai, which conducted the study, pointing to the near quarter of respondents unaware of any cyberattacks. He continues, "With almost 20,000 new vulnerabilities in software identified by the European Union Agency for Cybersecurity (ENISA) in just one year, alongside the increasing complexity of IT and network environments, many organisations have lost sight of how vulnerable they truly are and how frequently they are targeted. There are numerous instances where attackers have silently infiltrated corporate networks for months, extracting sensitive data without being detected. It's only when an attack disrupts operations or a ransom demand appears that many companies become aware of the breach."

Downtime, Financial Losses, Legal Consequences, and Data Theft

According to the "Cyber Security Report DACH 2024/2025," 62 percent of the surveyed organisations experienced downtime due to a cyberattack over the two-year period examined. 42 percent (multiple answers were allowed) suffered financial losses as a result. 15 percent faced legal consequences, while data theft occurred in 35 percent of cases. Alarmingly, 54 percent of companies received a ransom demand to recover data encrypted by hackers.

Cybersecurity expert Keith Poyser is concerned: "Many executives, CEOs, and IT leaders seem unaware of the potential damage that cyberattacks can cause to their organisations. The consequences can escalate exponentially, negatively impacting every part of the organisation. Both the financial losses and the resources required for recovery can inflict significant harm. UK companies working with EU partners must also be aware that they are subject to European regulations like NIS2 and risk operational disruptions if they fail to meet cybersecurity compliance standards."

Key Executives' Lack of Understanding of Risks and Their Personal and Corporate Impact

The participants selected for the survey predominantly hold responsible positions within their companies: IT team leaders (21 percent), Chief Information Security Officers (18 percent), Chief Technology Officers (14 percent), Chief Information Officers, and IT Managers (12 percent each). "According to the survey, more than half of the executives who would be personally affected in the event of a cyber incident do not believe they could be held liable for potential damage," says Keith Poyser, highlighting the lack of understanding among key executives about the risks and their potential personal and corporate impact.

The cybersecurity expert warns: "Organisations must urgently step up their efforts on cybersecurity. With artificial intelligence driving increasingly rapid and aggressive cyberattacks, and the growing use of remote work and the increase of Internet of Things (IoT) devices being connected to corporate networks, the opportunities for threat actors are expanding. The gap between the growing threats and the level of protection organisations have in place is widening at an alarming rate."

Keith Poyser advises organisations to "conduct penetration tests frequently to continuously assess their cyber resilience." A penetration test involves a company-commissioned simulated attack to identify security vulnerabilities. In the financial sector, the European banking regulator regularly conducts penetration tests, known as "stress tests," to assess financial institutions' ability to defend against cyberattacks. "I recommend that every board member, CEO, and IT leader across all industries subject their company to such a rigorous test," says the Vice President for EMEA at Horizon3.ai, whose company operates NodeZero, a platform aimed at making these penetration tests accessible and affordable for mid-sized organisations.