01242 703400



Bringing cyber-attack out of the shadows

It’s time to change the narrative surrounding cyber-attack

There were 462,000 businesses in the UK last year that had a cyber-attack – that’s one every single minute.

Published: 03/01/2024

Let’s remove the stigma associated with cyber-attack and concentrate on the steps we can take to prevent and mitigate them.

By Tom Yoxall, Commercial’s IT Operations Director.

Is it just me, or have you also noticed a potentially-misleading narrative in the almost daily news we’re seeing about cyber-attack?

I only ask this because I feel there appears to be an imbalance in many of the stories being told with too much focus on what the victims haven’t done or, worse still, on apportioning blame.

Don’t get me wrong, there are definitely instances where organisations haven’t done what they should have to protect themselves.

But the reality is that cyber criminals are performing an increasing number of cyber-attacks – we’re dealing with people who are simply hell-bent on getting access to your network, stealing your data, and holding you to ransom.

Blame isn’t going to solve that problem. What will, is working smartly to understand what you do to deal with the inevitable attack, and to have a plan in place when the worst happens.

By talking frankly, rather than feeling embarrassed, I believe we can remove the stigma currently associated with attacks, move away from the negative and start to concentrate on the positive steps we can take together.


of businesses have reported a cyber-attack in the last 12 months


of those attacked said it had happened more than once a month


said it was something they were dealing with once a week

One cyber-attack every minute

Let’s put this into a bit of context, UK Government statistics for 2023 show that 32% of businesses have reported an attack in the last 12 months. And while not every cyber-attack is successful, it does mean that more than 462,000 businesses were targeted in the year – a figure that works out at one cyber-attack every single minute.

Add in the fact that 40% of those attacked said it had happened more than once a month, while 21% said it was something they were dealing with once a week, you can see that it’s no longer a case of if you’re attacked – it’s going to be when.

And it’s not a case of the movie stereotype hacking mastermind sitting around a bank of computers typing in a company’s name and seeing if there’s a weakness somewhere they can exploit.

Most of these threat actors are automatically scanning the internet with sophisticated software trying to find the most vulnerable organisations to attack. And that means they aren’t worried about whether they’re targeting a big bank, a huge retailer or a multi-site law firm. Anyone and everyone is a target ,so we all need to be ready.

Cyber-attack is nothing personal – so don’t play the victim

Perhaps the most important thing to realise is that an attack is not necessarily because you’ve done something wrong, it’s because someone with malevolent intent wants to hold you to ransom.

As with so many things in life, the first step is to admit that there may be a problem with your security posture – it’s only then that you can truly do something to stop it. By having the processes and systems in place to ensure that when an attack occurs, you’re as safe as you can possibly be, may mean the criminal bypasses you for an easier target elsewhere.

Then if the very worst does happen – and the unfortunate case is that we’re dealing with an increasingly sophisticated and ever-evolving cyber-attack – you are equally well set up to recover, quickly and safely.

Here are Tom’s top five tips for putting your plan in place.

If an attack is inevitable, then it is absolutely vital to have a plan in place to give your organisation the best chance of mitigating, and ultimately recovering from it.

Tom’s tips emphasise the proactive stance of anticipating and preparing for cyber attacks, rather than being caught off guard.

Having a comprehensive plan in place helps organisations respond promptly, minimise damages, and recover swiftly in the face of inevitable cyber threats.

Implement MFA:

Multi Factor Authentication really should be a non-negotiable for us all. You probably have more than one lock on your front door, so why not have the same on your systems. MFA makes it harder for any criminal to gain unauthorised access to your user accounts and data, acting as a crucial first line of defence.

Mature Vulnerability Management:

A 2023 survey showed that only one in six companies had completed a cyber security vulnerability audit in the past year. The threat is ever evolving, so it’s vital your systems and processes do too. The only way to mitigate against any vulnerabilities is to understand where they are in the first place.

Air-Gapped Backups:

Having offsite air-gapped backups is an absolute must have for organisations, allowing untampered backups to be utilised to aid recovery if necessary. While having an offsite backup is important, it’s equally crucial to test it so you are aware of any issues in advance of having to utilise them.

Have a cyber-incident response plan:

Having a well-drilled response plan plays a crucial role in determining how well, and how quickly, an organisation will recover. Ensure roles and responsibilities are known and documented, you have details of your cyber insurance policy and third-party providers, and have a policy defined for whether to pay a ransom.

Cyber Insurance:

Cyber insurance will provide support in the event of an attack. They can include digital forensics and recovery, media and PR support, legal assistance in the case of data breaches and specialist services to assist with the recovery. It can extend to financial remedies for business interruption and even ransom negotiation.

If you fail to prepare… prepare to fail

It’s part of my job to be across the latest threats, to adapt to the latest developments in cyber security and use my first-hand experience of seeing what happens to organisations who aren’t adequately prepared for a cyber-attack.

It’s that experience that has got me thinking about the need to change the narrative, to talk about cyber-attacks in the open and, most importantly, dismiss the narrative that a cyber-attack is something to be embarrassed about.

If that feeling of blame, or of doing something wrong is put aside, we can start talking frankly and honestly about what we can do, together, to mitigate against an attack. I will be happy to speak with you to pass on the benefit of my experience, and I can even ask my colleagues to run tests on your cyber security posture to understand if there are any immediate gaps to be aware of.

Because by finding the gaps, it means we can do something about them before a cyber-criminal does.

Want to know how to deal with a cyber-attack? Click here for Commercial’s expert advice.

Contact us today


Other areas of interest

We offer more than just software support: our specialists are here to maximise the potential of your business, enhance efficiency, and create a smarter, safer business environment for you.


Drive effective governance with our comprehensive services. We offer strategic planning, policy development, and implementation support to ensure compliance, accountability, and sustainable business practices.

Detection & Response

Enhance your security posture with our detection and response services. We provide real-time monitoring, rapid incident response, and proactive measures to defend against cyber threats.

warning & prevention

Proactive and reactive cyber security solutions that keep you ahead of potential risk. Our cyber security experts leave no stone unturned when it comes to the safeguarding of your business.