Insights
Consultancy Services Team
16.07.2025
Hacking, phishing, ransomware, and distributed denial-of-service (DDoS) attacks can spell disaster for organisations causing service disruption, reputational damage, as well as significant fines from regulators for the loss of personal data.
In 2019, British Airways was fined more than £183m by the UK’s Information Commissioner’s Office (ICO) after customer data was compromised in a cyber-attack.
In May 2025, Marks & Spencer made headlines for all the wrong reasons. The iconic retailer announced that a cyber-attack had cost the company £300 million in lost profits.
It’s one of the clearest signals yet that no business is immune.
At FDM, we believe the question is no longer if an attack will happen, but when. And more importantly, how prepared your business will be when it does.
Today’s cyber landscape demands more than just firewalls and antivirus software. It calls for a strategic, organisation-wide approach—one that’s built around resilience, awareness, and capability. That’s why we work with businesses to help them evolve their cyber readiness, not just through technology, but by embedding skilled professionals directly into their teams.
The changing nature of cyber-attacks
Cyber-attacks have evolved into an industrialised, on-demand service. The M&S breach was linked to Dragon Force, a cybercrime group that offers its hacking tools to others, effectively turning ransomware and digital extortion into a subscription model.
For a fee, almost anyone can launch a targeted attack using advanced malicious software and pre-built websites.
Research shows 72% of organisations experienced ransomware attacks in the past year, with average recovery costs hitting £3.3 million. While 42% were able to recover within a day, a worrying 5% took more than two weeks. Despite the risks, nearly half of the affected businesses still chose to pay the ransom.
These tactics mark a departure from the more contained, one-off breaches of the past. Today’s attacks are scalable, targeted and devastating—often blending social engineering with technical exploits to breach defences.
According to Sawan Joshi, FDM’s Group Director of Information Security, the engagement of localised gangs has aided the con.
“For years it’s been a foreign voice with an accent—not now. A cybercrime organisation will research the company and, in the opening conversation on a call, discuss a recent charity run, for example. Also with AI, we are seeing more attempts at voice cloning… impersonating a supply chain member is a very concerning, growing attack source.”
Why the business-as-usual approach no longer works
Many companies still approach cybersecurity as an IT department concern—an issue to be solved with tools, software and firewalls.
But that mindset no longer fits today’s landscape. Cybersecurity is a business resilience issue. A successful cyber-attack can leak sensitive data and destroy customer confidence.
Sawan says, “For many years, operational resilience hasn’t moved past boardroom exercises and tabletop discussions. Cybersecurity is often applied as a solution when there’s a budget, but the answer is not a solution—it’s a design. A business resilience design that matches protection, response and recovery capabilities of technology with people in a way that makes recovery an operational metric that’s continuously improving.”
Cyber resilience vs. cybersecurity: What’s the difference?
Whilst cyber security prevents attacks, cyber resilience is the capability to bounce back from an cyber-attack. Both are equally important functions within an organisation’s defence framework.
“Cyber resilience allows clients to understand their risk posture and then apply the right amount of cybersecurity to their organisation by building walls, locking systems down, and preventing breaches before they happen. Says Sawan.
How businesses can future-proof against cyber threats
A survey found 46% of remote workers were compromising data security, highlighting ongoing challenges of data protection in hybrid work settings. Supply chains and third-party vendors introduce new risks. And without staff training, even the most sophisticated security systems can be undone by a single click on a malicious link.
Four steps to future-proof your cyber defence strategy:
- Conduct a full cybersecurity assessment
“Identify and classify all organisational assets, optimise technology costs and simplify complex architecture. Then review and improve it at a cadence, just like how a management system is audited”, says Sawan.
- Implement AI-driven monitoring tools
Modern threats require modern tools. AI tools like Senseon can detect anomalies, flag suspicious behaviour, and respond to them.
- Train your entire workforce—not just IT
Everyone from interns to C-suite executives needs to understand basic cyber hygiene. Real readiness comes from a culture of security.
- Develop incident response playbooks
When a cyber-attack hits, seconds matter. Playbooks ensure your team knows what to do, who to notify, and how to contain the damage.
As Sawan puts it:
“Test your recovery capabilities—how long does it take to recover and to what point in time? This is known as RPO/RTO. Ensure backups are immutable and replicated with a time lapse.
How FDM can support
At FDM, we believe the most powerful line of defence is people. That’s why we work with organisations to build in-house cybersecurity capabilities, embedding our consultants into their teams to support long-term resilience.
We are empowering our IT Operations, Regulatory, Risk and Compliance practices with up-to-date objectives that matter to our customers—knowing what can affect them, what’s changing in the industry in terms of frameworks and global incidents. The foundation for this is training and continuously supporting our professionals in the field.
Cyber-readiness isn’t a destination. It’s a continuous journey of adapting, training and preparing. Businesses that invest in people-powered, proactive strategies will not only survive the next wave of cyber threats but also emerge stronger for it.
Is your business prepared for the new era of digital risk?