Cyber Resilience in Focus: Building Resilience in 2025

Written By Declan Richardson

The Bank of England's 2024 CBEST thematic report highlights the evolving cyber threats faced by the financial sector and emphasises the critical importance of operational resilience. The CBEST program, which marks its 10th anniversary, uses threat-led penetration testing to identify vulnerabilities in live corporate environments. This year's findings underscore a growing sophistication in cyber-attack strategies, requiring firms to enhance their preparedness to prevent systemic disruptions.

Key Findings from the CBEST 2024 Thematic Report

A key takeaway from the report is the need for institutions to improve their cyber hygiene, focusing on proactively identifying risks and remediation strategies. The testing revealed several areas where financial entities remain susceptible to common attack vectors, including outdated systems, weak access controls, and insufficient incident response frameworks. Furthermore, threat intelligence continues to show an increase in state-sponsored and organised cybercriminal activities targeting financial institutions.

The report also emphasises the importance of collaboration among firms, regulators, and third-party providers to share threat intelligence and best practices. Financial Market Infrastructures (FMIs) are urged to strengthen governance and resilience measures to safeguard critical operations. The findings emphasise that operational resilience is about defending against attacks and ensuring swift recovery and minimal disruption.

While these findings primarily target the financial services sector, the strategies for enhancing cyber resilience are universally applicable and particularly crucial for small-to-medium enterprises (SMEs) across all industries. SMEs often face heightened vulnerability due to limited resources and expertise, making adopting robust cybersecurity measures even more imperative. By implementing these strategies, organisations of all sizes and sectors can significantly bolster their defences against evolving cyber threats, safeguarding their operations, data, and reputation in an increasingly digital landscape.

Next Steps for SMEs:
For SMEs, prioritising cyber resilience across People, Process, and Technology will be vital going into 2025. 

  • People

    • Make your people your first line of defence and make them question everything.

    • Invest in regular cyber awareness training and upskill teams to identify phishing and social engineering threats.

    • Threat-focussed cyber incident response to help eradicate malicious actors and mitigate impacts, ensuring clear communication channels during incident responses

    • Seamless and, where possible, automated containment during post-detection incident efforts

  • Process

    • Establish robust cyber risk management and impact-based operational approaches with strong incident response plans, conduct penetration tests, and enhance risk monitoring. A couple of key strategies that organisations can implement to establish robust cyber risk management and impact-based operational approaches are listed below:

      • Develop/Enhance a comprehensive risk assessment framework, identify and document asset vulnerabilities, utilise threat intelligence from information-sharing forums, and determine potential business impacts of risk events. This helps prioritise risks and allocate resources effectively.

      • Create strong, flexible incident response plans and develop clear procedures for detecting, responding to, and mitigating cyber threats. Regularly update and test these plans to ensure swift and effective action during security breaches.

      • Foster a risk-aware culture by implementing cybersecurity training programs and ensuring all employees know their risk management roles. Break the siloes with this cross-departmental approach aligning cybersecurity strategies with overall business objectives.

  • Technology

    • Adopt up-to-date security systems, implement zero-trust frameworks, and ensure third-party providers align with resilience standards. By focusing on these areas, SMEs can build stronger defences against emerging cyber risks while fostering operational continuity.

    • The critical areas of technology focus on cyber security risks to assets and individuals with the following:

      • Restrict overly permissive access controls

      • Maintaining robust credential hygiene practices

      • Enforce multi-factor authentication (MFA)

      • Strengthen controls around privileged access management

      • Protected credentials or exposed credentials

      • Strengthen network and service segmentation

      • Enhance effective infrastructure monitoring

      • Increase detection of adverse events and monitoring gaps

In today's rapidly evolving digital landscape, small-to-medium enterprises (SMEs) face unique cybersecurity challenges that require tailored solutions and expert guidance. Partnering with a security services company that truly understands your business needs and priorities can make all the difference. A transparent partnership fosters trust, ensuring that you are aware of the strategies being implemented and confident in the security measures protecting your valuable assets. 


By choosing a partner committed to your success, you empower your organisation to navigate risks effectively and focus on growth, knowing that your cybersecurity is in capable hands. Embrace the opportunity to enhance your resilience and safeguard your future with a trusted security ally.

By CISO Insights

Declan Richardson
Previous

The Double-Edged Sword of AI