Not if but when: Why measuring cyber resilience matters

In recent weeks, Overcyte has spent time with European CISOs discussing the challenges facing security teams in an ever more hostile operating environment.

Probably the clearest takeaway - organisations must frame their cyber security efforts not on the basis of if a cyberattack will happen, but when.

2025 has seen an alarming rise in high profile cyber-attacks in the UK with retailers, manufacturers, legal companies and airlines targeted.

And in mainland Europe, the continuing Ukraine-Russia conflict has seen digital attacks escalate with one report from vendor OpenText stating that "Europe became one of the riskiest regions in the world as geopolitical conflict carried over into cyberspace" with the infection rate in Europe now three to four times higher than in the U.S.

The latest report from ENISA, European Union Agency for Cybersecurity, has described how state-aligned threat groups have intensified their long-term cyberespionage campaigns against telecommunications, logistics networks, and manufacturing sectors in the EU:

The impact of a ransomware attack against one airport software supplier just last month also highlighted systemic issues in the highly targeted transport sector, with reported incidents impacting both air and maritime operations in the region.

The NIS2 Directive, which extends cyber requirements across 18 critical sectors, should encourage organisations to improve risk management and incident reporting practices but progress to date has been slow.

Focusing on cyber resilience

As these attacks continue to make headlines and harm businesses globally, the question of when a cyberattack will occur has become a critical focus for many organisations.

Shifting organisational mindset from "if" to "when" underscores the need for a proactive and strategic approach to safeguarding digital assets based on an understanding of what matters most.

Common tactics include:

• Building robust defences for organisational crown jewels
• Implementing layered security measures to provide defence-in-depth
• Continuously monitoring for potential threats and seeking to quickly detect anomalous activity
• Planning adaptive responses that can address different attack types and scenarios across company and supply chains

Operational resilience principles

In 2025, organisations simply can’t prevent every cyber incident, so being able to minimise the impact is just as - or even more - important as preventing incidents from happening in the first place.

A modern mindset doesn't ask "How do we stop every attack?", but rather: "How do we survive any attack?". Absorbing impacts and recovering rapidly is the primary goal for the World Economic Forum’s cyber resilience initiative:

The organisation provides five key tips to help build cyber resilience:

1. Recognise that "total cybersecurity" is not achievable - quantify your cyber risks with a loss magnitude measurement approach like FAIR across primary and secondary factors and then address those areas that matter most.
2. Anticipate and plan for disruptions - an effective harm assessment will identify the organisation’s core strategic, operational, financial and legal priorities where readiness is planned.
3. Embed cyber resilience within business processes - once priorities are documented, establish robust contingency measures for when systems fail. Events at AWS this week demonstrate why this is key.
4. Safeguard confidential information - information governance is often relegated behind investment in security tooling but protecting your data holdings is critical to limiting the impacts of breaches.
5. Learn from past incidents - every news story on the latest cyber-attack or system outage contains opportunities to learn and improve your organisational practices ahead of trouble starting.

Learning from others

For highly regulated industries and sectors like finance, operational resilience principles are not new.

They're codified into documents such as those published by the Basel Committee on Banking Supervision that address governance, operational risk, business continuity planning, mapping and documenting interdependencies and ensuring that ICT systems are resilient and will function when required through testing and crisis mangeemnt planning.

These principles are designed to help banks manage operational risks effectively and maintain critical functions during adverse events and they can be applied to any organisation that wants to be ready for when an incident does eventuate.

Measuring readiness to respond

For security specialists at the World Economic Forum, "measuring cyber resilience requires moving beyond static assessments" and that's something that Overcyte excels at.

Our platform is designed to help reduce cyber risk by replacing traditional one-off assessments with a direct viewpoint into your security programme that provides for continuous assurance.

Understanding your security posture with a modern mindset focused on cyber resilience and operational readiness is key.

Help your team stay ahead of threats, audits, and regulatory requirements and talk to us today.