Cyber Resilience: The Real Measure of Security

Is my organisation truly resilient to cyberattacks, not just in theory, but in practice?

It’s a question I hear more often now than ever before. And with good reason.

Everyone knows the cybersecurity fundamentals: install patches, train your people, use strong passwords, enable multi-factor authentication. The basics matter, but 2025 has shown us, repeatedly, that prevention alone is no longer enough.

Breaches will happen. Outages will happen. The real test is how quickly and effectively you can recover.

The numbers are sobering. Reported cybercrimes in the UK alone reached an estimated 8.58 million in the past 12 months (Cyber Security Breaches Survey 2025, Gov.uk). That means for most organisations, the question is no longer “will we be targeted?” but “when it happens, can we contain the impact and keep operating?”

Security vs. Resilience

The distinction is critical. Security asks: “How do we stop attacks getting in?” Resilience asks: “What happens when they do?”

True cyber resilience is the ability to absorb shocks, adapt under pressure, and limit disruption to business operations, even during a major incident. It’s not just about having technology in place, it’s about planning, practising, and building a culture that functions under fire.

And in 2025, we saw two high-profile examples that demonstrate the difference this makes.

When resilience is missing: M&S

In April 2025, M&S appeared to have been hit by two of the most sophisticated threat actors operating today, Scattered Spider and DragonForce (suggested by CultureAI). According to BBC News, attackers impersonated staff and convinced service desk agents to reset passwords, gaining access to critical systems.

The disruption was severe: online clothing and homeware orders were suspended, automated systems, price updates, and inventory controls taken offline. According to Connect Cef Pro, Bank of America analysts estimated losses of £40 million per week in revenue. By the time the news broke, an estimated £750 million had already been wiped from M&S’s market value (The Guardian, 2025).

M&S undoubtedly has sophisticated cybersecurity policies. But when it mattered most, the organisation couldn’t recover once serious disruption took hold.

When resilience is practised: The Co-op

Around the same time, the Co-op was reported to have been targeted by the same attackers. As reported by CultureAI, a social engineering attack enabled threat actors to reset an employee’s password and breach the Co-op network.

The Co-op admitted that during the attacks, hackers had extracted personal data on a “significant number” of current and past members. Subsequently, Co-op stores around the country faced shortages and empty shelves, with some stores experiencing issues with contactless payment (The Independent, 2025).

However, most significantly, it is thought that the Co-op shut down parts of its IT systems, limited internet access, and implemented measures such as requiring cameras on during meetings, banning call recordings, and verifying participants' identities.

Astonishingly, the hackers sent a letter to the BBC angrily explaining that Co-op’s IT team “yanked their own plug, tanking sales, burning logistics, and torching shareholder value.”

Available reporting suggests that early anomaly detection and incident protocols may have helped the Co-op contain the attack more effectively before it spread.

What this tells us about resilience

The Co-op’s example shows that resilience isn’t a static policy. It’s a muscle you build and exercise, so that when disruption comes, people know exactly what to do. That means:

• Understanding critical assets and their interdependencies.
• Monitoring in real time for anomalies.
• Empowering teams to act immediately when thresholds are breached.
• Rehearsing recovery, not just documenting it.
• Restoring from clean, isolated backups with full confidence.
• Evolving capabilities in line with technology and threat landscapes.

Done right, resilience becomes second nature, a series of actions carried out instinctively, not a checklist someone has to dig out mid-crisis.

Why it’s worth the investment

The UK’s National Cyber Security Centre reports that significant cyber incidents rose by over 50% between 2023 and 2024 (NCSC, 2024). In response, the UK government is introducing a Cyber Security and Resilience Bill, which will require organisations to report major incidents and demonstrate robust recovery capabilities.

Research from Deloitte shows that organisations with well-practised resilience plans recover 60% faster from major incidents and suffer 40% less revenue loss. In today’s environment, where downtime can cost millions, resilience is no longer just best practice, it is a strategic advantage.

Forrester (2022) found that cybersecurity investments can generate a return of 179%, with ROI varying by focus area — 271% for investments in people, 156% in process, and 129% in technology. This value is driven by reduced downtime and loss, improved customer trust, and a more secure operational culture.

Strong cyber resilience doesn’t just protect the bottom line, it builds long-term relevance, profitability, and trust.

How we help build resilience that works

At Axiologik, we help organisations turn resilience from a buzzword into a lived capability. We work alongside internal teams to identify vulnerabilities, map critical systems, and design recovery plans that work in real-world conditions. We help teams rehearse for the worst, so they can act decisively when it matters most.

Our approach blends deep technical knowledge with real-world delivery experience, ensuring resilience isn’t just an IT concern, but an organisation-wide capability.

Because resilience isn’t just about bouncing back. It’s about keeping going, adapting under pressure, and emerging stronger.