Resilience and the realities of cyber security futureproofing for 2025

More and more high-profile cyber incidents are hitting the media. To avoid the consequences of not being prepared, our international experts, Asam Malik and Jeffrey de Bruijn, outline the common mistakes made by organisations and some new approaches to build more resilience for the future.

A strategic approach to protecting businesses and its people needs to go beyond traditional security measures, and remain adaptable, scalable and robust enough to protect against emerging or unexpected cyber threats. 

Business leaders understand the importance of prioritising cyber security. However, many may still underestimate their own vulnerabilities, as well as the measures necessary to mitigate the risks they face. From our latest C-suite barometer, we can see that 62% of leaders believe their data is completely protected. Yet, when asked separately whether they’d experienced a significant data breach in the last year, 55% confirmed. 

This discrepancy highlights what might be a surprising reality: business leaders do not fully recognise the cyber risks their businesses face. As cyber threats continue to evolve, so must our awareness and solutions to protecting data and systems.  

Jeffrey de Bruijn

For businesses today, it’s no longer a question of if a cyber incident will occur, but rather when, and how impactful it will be. New regulations are now requiring futureproofing measures be put in place to maintain resilience and compliance – a move that emphasises the mentality and approach all organisations should be guided by.

Jeffrey de Bruijn Director, Forvis Mazars, The Netherlands

 

Realistically, futureproofing for cyber security in 2025 and beyond doesn’t mean preventing all incidents. Instead it means adopting a risk based approach and building resilience through leadership engagement, enhanced security measures, rigorous testing and applying a transformational mindset.  

 

Leadership engagement influences true transformation and necessary investment 

In 2023/24, more than 75% of C-suite leaders surveyed spent 20% or less of their IT budget on cyber security, despite how essential it is to the business. Recognising their prioritisation of measures against cyber threats, this highlights a potential weakness or area for considerable review. To influence any transformational change and increase protection measures (as well as budgets), it’s important to educate and engage all leaders to prioritise cyber security matters, as well as everyone in the business to implement them. 

Here are some of the best ways to improve engagement with cyber security measures and protocols: 

Have cyber security represented at the highest levels, such as a non-exec director or C-level executive with both business and cyber security expertise. 

Speak about cyber security in business terms, using business KPIs and finance metrics to illustrate cost, impact and ROI, and the unquantifiable reputational damage that may occur. 

Involve leaders in simulations and ‘red team’ exercises so they can better understand the impact of cyber incidents and have the experience required to handle them when they occur.  

 

Understand risk: a business-centric approach 

Cyber threats and incidents on some levels are inevitable, and threat actors are just as aware of regulatory measures as businesses are, it’s important to take a risk-based approach to cyber security rather than a compliance-based one. This means understanding what assets and processes are fundamental to business continuity and defining requirements based on protecting them. 

This risk-based approach allows businesses to prioritise cyber security and resilience without sacrificing digitisation or expansion efforts. While good friction and segmentation may be necessary to protect the “crown jewels” of the business, these decisions can be made in an informed way, with the reasoning easily articulated to business users. 

Asam Malik

Concentration risk is a real concern. Sometimes high-profile providers, who are meant to provide more assurances, actually end up creating more risk. However, each business must evaluate that risk against its operational needs.

Asam Malik Partner, Forvis Mazars, UK

 

Once the business-specific requirements have been identified, there are cyber security basics that should be in place at every business, such as: 

  • Proactive monitoring, management and review of technology. 
  • Centralised log management. 
  • Endpoint protection, including for remote endpoints. 
  • Good, clean firewalls with regular review and rulesets.  
  • Tech procurement policies and education around those policies. 
  • Principle of least privilege policies. 
  • A suite of regular independent penetration testing and red teaming. 
  • Tried and tested incident response procedures.  

It’s worth noting that new technologies can create new risks within the digital supply chain. The benefit of technology to enable these functions usually outweighs any risk created, so long as due diligence is conducted on suppliers. Especially in the case of monitoring, ‘always-on’ technology will be more thorough and more efficient than a team of cyber professionals could be. 

 

Strengthen resilience through simulation 

Many organisations undergo basic cyber security testing like simulated phishing campaigns or online courses, but the best possible way to test cyber security processes and measures is through live exercises and scenarios to change behaviours. This can (and should) include: 

Penetration testing – working with a third party for penetration testing will allow for more realistic findings and is less likely to be compromised by your internal team’s assumptions and knowledge. 

Simulations – running scenarios for likely (and unlikely) cyber incidents will highlight where security processes may need more redundancy or specificity to work well. 

Red team exercises – as productive as simulations can be when led by your security team,  authorised ethical hackers emulating real attacker tactics better reflect what a real-world cyber-attack would be like. Some businesses even undergo red team exercises completely unknown to the security team. This leads to the best possible insight on the level of preparedness and resilience the business has achieved. 

Asam notes: “The most effective way to improve cyber education and awareness in an organisation is to organise a red team. This can deliver a wake-up call without the business consequences of a genuine cyber incident.”

Regardless of the methods, test results should be shared with the business and its people. Not only does this highlight the role each person can play in keeping the business secure, but it also creates a culture of transparency and trust, which could be the difference between a devastating cyber-attack, and early detection and isolation of a threat. 

 

Cultivate a cyber aware workforce 

Education plays a pivotal role in building a resilient organisation. Workforce training should focus on collaboration with security teams, especially around procuring new solutions. Better informed, more cyber aware business partners are less likely to find workaround solutions and introduce unnecessary risk. They are more likely to uphold the processes and measures that are put in place. 

 

Evolving approaches to futureproofing: the importance of a transformation mindset 

Cyber threats evolve constantly. Digital supply chains change regularly. The weaponisation of AI to deliver cyber-attacks and cyber-crime operates at an industrial level, with a huge amount of resource behind it. Any cyber security approach needs to continue to evolve to work effectively in the long term and even in the medium term.  

In the same way businesses have adopted a transformation mindset regarding technology and operations, this mindset must extend to cyber security too. Constant monitoring, education and evolution takes resource and investment, but embracing this approach will help support the confidence leaders already exhibit. Futureproofing for cyber security in 2025 and beyond isn’t only about finding the right solutions; it’s about building a culture and approach that prioritises the evolution and resilience needed. 

Learn more in our latest report about futureproofing and cyber security solutions organisations should consider in 2025 and beyond: Securing digital supply chains: How cyber security drives resilience in business transformation

 

Key contacts