A game of cat and mouse
For large organisations, cybersecurity is a constant battle against an evolving and increasingly sophisticated enemy. Fraudsters and hackers often seem one step ahead, exploiting vulnerabilities that companies are still trying to close. The pressure on Chief Information Security Officers (CISOs) and IT leaders is immense, as they must balance security, regulatory compliance, and customer trust – while knowing that a single breach can have devastating consequences. No wonder their mental health is now a common topic at security conferences.
Davies Hickman has been undertaking research in global IT and network security for many years and consistent themes emerge from our executive interviews and quantitative research and advanced analysis that we conduct.
The inconsistency challenge: Security measures vary across industries
One of the biggest challenges large companies face, is the lack of a consistent approach to cybersecurity. Some industries, such as financial services, have strict regulatory requirements and a well-established security culture, while others are still catching up. The 2024 Cybersecurity Workforce Report by Boston Consulting Group for the Global Cybersecurity Forum indicates that sectors like Financial Services, Technology, and Industrials face significant cybersecurity workforce shortages, underscoring the uneven distribution of cybersecurity preparedness across industries. This disparity creates weak points in supply chains and digital ecosystems, making even the most secure organisations vulnerable if their partners or vendors are not equally well-protected.
Experts in cybersecurity, when interviewed by Davies Hickman, say that within sectors there is also variation in the approaches to security of big companies. Some security teams are better prepared than others.
CISOs under pressure: The weight of responsibility
CISOs and security teams face relentless pressure from all directions. They must answer to executives demanding business continuity, regulators enforcing stricter data protection laws, and customers who expect their data to remain secure. The stress is amplified by a growing talent shortage in cybersecurity, making it difficult to recruit and retain skilled professionals to defend against ever-changing threats. As a consequence, colleagues in the wider enterprise can be unsure about the security team’s ability to protect the organisation from cyber threats.
Fraudsters are becoming more sophisticated by using AI
Hackers are not just using traditional attack methods anymore. Artificial intelligence (AI)-powered phishing scams, deepfake fraud, and ransomware-as-a-service are making it easier than ever for criminals to launch attacks. Many big companies are struggling to keep up, as their legacy security systems were not designed to handle such advanced tactics. The 2024 Verizon Data Breach Investigations Report reveals that stolen credentials were the initial action in 24% of breaches, emphasising the importance of addressing advanced tactics like AI-powered phishing.
While AI adds to the threats, it is also a way for large companies to improve their security through a range of new tools that extend the process of searching for vulnerabilities across operations. These technologies, increasingly dependent on AI themselves, offer support to security teams working across a range of processes including security operations centres (SOCs).
Third-party risks: The weakest link in security
Even if an organisation has robust security protocols, its data is only as safe as the weakest link in its supply chain. Many breaches occur due to vulnerabilities in third-party vendors, partners, or cloud service providers. Businesses are now realising that cybersecurity must extend beyond their own walls, requiring stricter vendor risk assessments and stronger contractual obligations for data protection. The Verizon report notes that 49% of breaches in the Europe, Middle East, and Africa (EMEA) region were initiated internally, suggesting high incidences of privilege misuse and human errors, which can be exacerbated by third-party vulnerabilities.
The cost of cyberattacks: More than just financial losses
A successful cyberattack can have long-term consequences beyond immediate financial losses. Brand reputation, customer trust, and employee morale can all take a significant hit. Companies are learning that investing in cybersecurity is not just about preventing fines and operational disruptions—it is about safeguarding the future of the business itself. At the same time, organisations face the challenge of knowing when to be transparent about security breaches and when openness will strengthen the position of hackers and criminals. This is not an easy balance, but over time transparency should win out to support customer and societal trust in the brand.
Incident response plans: Preparation is everything
No organisation is immune to cyber threats, so the ability to respond effectively is just as crucial as prevention. Many businesses are now prioritizing comprehensive incident response plans, ensuring that employees know their roles in a crisis and that recovery efforts are swift and efficient. Regular simulations and cybersecurity drills are becoming best practice to prepare for the inevitable breach. Again, colleagues need to have confidence in the security team and its ability to deal with attacks and breaches.
Data breaches are more common than reported
While some cyberattacks make headlines, many others go unreported or are downplayed to avoid reputational damage. However, employees and consumers are becoming increasingly sceptical, with a growing belief that companies are not fully disclosing the extent of their data breaches. This eroded trust makes it even harder for organisations to rebuild confidence after an incident. Unfortunately, they may be right, as the 2024 Verizon Data Breach Investigations Report indicates that many breaches involve internal actors, highlighting potential underreporting or misclassification of incidents to avoid reputational damage.
Stronger regulations are forcing change
Governments worldwide are tightening cybersecurity regulations, imposing stricter penalties for non-compliance. Organisations must now take proactive steps to secure their networks, report breaches quickly, and demonstrate accountability. While this adds operational complexity, it also forces companies to invest in long-overdue cybersecurity upgrades. National infrastructure, when controlled by big companies, is a priority for investment in better security policy.
The rise of MFA, biometric and AI security solutions
Many organisations are turning to multi-factor authentication (MFA) and biometric authentication, such as fingerprint and facial recognition, to enhance security. AI-driven threat detection is also gaining traction, helping companies identify and neutralise risks before they escalate. While these technologies offer promising solutions, they also introduce privacy concerns and the challenge of balancing security with user convenience. For example, The University of South Florida’s establishment of the Bellini College of Artificial Intelligence, Cybersecurity, and Computing reflects the growing emphasis on integrating AI and cybersecurity to address advanced threats, following a $40 million donation. The Bellini College’s focus on AI and cybersecurity aligns with broader industry trends where businesses and governments invest heavily in AI-powered security systems to combat cyber threats proactively.
Cybersecurity is no longer just an IT issue
The responsibility for cybersecurity is expanding beyond IT departments. Employees across all functions must be educated in best practices, as human error remains a significant risk factor. From phishing awareness training to stronger password policies, organisations are realising that security is a company-wide effort, not just a technical problem. The calls to provide zero-trust solutions are strong, but CISOs know that on-going training and proactive reminders are needed to ensure colleagues behave securely now and in the future.
Conclusion: A never-ending battle
For most big companies, cybersecurity is not a one-time fix—it is a continuous process of adaptation and improvement. The threats will keep evolving, and companies must stay ahead with stronger defences, better training, and a proactive approach to risk management. The question remains: will businesses be able to outpace the cybercriminals, or will they always be playing catch-up?
Jo Davies with Naomi Waheed.