“In hindsight, I should have prioritised cyber security”.
When a cyberattack occurs and companies find themselves in challenging circumstances, the immediate reaction is fixing the damage from the cyberattack - this includes processes such as restoring backups. Following such fixes, we often see these same companies implement cyber security measures to prevent any future cyberattacks. They realise, in hindsight, that they should have prioritised cyber security before they were attacked. We find that consequences such as costs and damage are drivers for change in cyber security; but with proactivity, these consequences can be minimised or avoided entirely.
There are many reasons why businesses sometimes overlook or delay cyber security measures. One common challenge is a lack of resources. Specifically, time, money and employees can be scarce. Decision-makers acknowledge the resources required to implement cyber security measures, but frequently overlook the resource intensiveness to deal with a cyberattack should they fall victim to one. In the event of an attack, not only will they have costs for containing the breach and repairing damage, but they will likely opt to implement cyber security measures out of fear of a future attack. This is something that, in hindsight, they should have implemented pre-emptively to avoid unnecessary costs and damage.
This leads to the next reason that decision makers neglect cyber security: gambling. Do you fancy the odds that you will be one of the lucky ones that runs a business for many years and never crosses paths with a hacker? Most business owners would consider themselves rational so why take the gamble on cyber security when the risks are so high and the costs can be astronomical? Every business owner should properly consider the very real risk of a cyberattack and prepare for all eventualities. Indeed, the UK government recently advised all households to prepare to be self sufficient for at least 3 days in the event of a nuclear or cyberattack or even war – further reinforcing the threat is real.
Some business owners are not gamblers, but just have a limited understanding of cyber risks. They may not realise the potential damage that could occur should they experience a cyberattack, or the likelihood of an attack. The concept of a cyberattack may seem distant and unlikely, but we know this is not true – 50% of UK businesses reported a cyberattack in 2024*. Such a lack of awareness and preparedness causes them to overlook essential cyber security measures or overly rely on basic security protocols.
Reactive cyber security is the process of only making cyber security considerations following an attack or incident, as opposed to pre-emptively managing security.
The General Data Protection Regulation (GDPR) states that companies must use appropriate technical and organisational security to protect customer data. Should a company be found failing to do so, they can be fined either up to 4% of their annual global turnover or €20 million. Companies that experience data breaches may find themselves under scrutiny and investigation, to measure whether the breach could have been avoided and whether they have used best practices.
Even those companies that do not have sensitive data will have to dedicate resources to fixing damage should an attack occur. If the victim can fix it themselves, which is unlikely and may leave gaps in their security, this costs time. If they can’t fix it themselves, they must hire professionals, who may have to spend a significant amount of time ensuring no backdoors have been left behind by the attacker. This process can be costly and tedious.
If your organisation wants to identify the attacker or learn how they managed to successfully hack your systems, you must conduct digital forensics work. Digital forensics involves the investigation, analysis and interpretation of digital evidence found on computers, devices, and networks. This process can be labour intensive and therefore costly, particularly when outsourced, but is often necessary to learn from the attack and consequently prevent future ones.
Paying ransoms during is never recommended. Cooperating with criminals sets a dangerous precedent, and there is no guarantee that the attacker will hold up on their side of the deal. They may not decrypt your data, and they may leak it or sell it regardless of your payment. However, during ransomware attacks of sensitive nature, sometimes businesses feel they have no choice. If the information is critical, extremely confidential, or impossible to recover, victims might pay the ransom. This can be extremely costly as when attackers believe they have you cornered, they can demand any sum of money they deem fair.
Should you suffer a cyberattack that leads to a data breach, you must disclose this data breach to the ICO within 72 hours. If this information goes public, it can lead to a lack of trust from shareholders, who no longer believe their investment is safe. Similarly, other external stakeholders such as business partners in your supply chain may hesitate to work with you in the future, knowing that you have previously suffered a cyberattack and that you may put them at risk inadvertently. Customers may also opt to avoid your services or products, as your reputation has been damaged – nobody wants to take the risk. An organisation’s reputation, it could be argued, is the most important asset that they own. Damage to this can have debilitating consequences.
Whilst repairing damage, patching holes, and restoring backups, your business operations may be forced to halt. This can lead to reputational and financial issues. Your customers, contacts and partners may go elsewhere with their business whilst your operations are halted, and some may never return. The damage seen from this could be irreparable, or at the very least significant.
Some companies may find themselves in breach of contract should a cyberattack lead to sensitive or confidential information being leaked. This particularly applies to solicitors/law firms, where data breaches about their clients could result in serious consequences. Solicitors have a duty of confidentiality, with the Code of Conduct for Solicitors stating that the duty to preserve confidentiality is unqualified. This means it is a duty to keep the information confidential, not merely to take all reasonable steps to do so.
After a cyberattack, companies realise that, in hindsight, they should have prioritised their cyber security. Those who are correctly advised don’t wait for hindsight – proactivity is the best approach in almost every situation. The risk of a cyberattack occurring is too high to be reactive.
You should realise the value in listening to experts and understanding their message. Experts have already seen how cyberattacks play out numerous times, and possess knowledge that can only be understood from real-world experience. If you listen and learn from the experts, you don’t have to experience the event - hindsight doesn’t have to be the driver to action, and regret can be avoided.
