UK businesses overestimating cyber resilience, leaving them exposed to disruption, says new research from NormCyber

UK organisations are operating with a false sense of confidence about their ability to withstand cyber incidents, according to new research from security operations specialist, NormCyber, raising concerns about business continuity, economic resilience and the growing pressure of regulatory scrutiny.

The study, conducted by Vision One and based on interviews with 500 UK technology and security leaders, reveals a significant gap between perception and reality when it comes to cyber resilience. While most organisations believe they are well-prepared, many are relying on fragmented reporting, subjective assessments and incomplete data.

Widespread overconfidence despite evidence to the contrary

The research reveals a significant disconnect between perceived and actual cyber resilience. While 88 percent of organisations rate their resilience as ‘above average’ – an implausible figure that points to widespread overconfidence – real world recovery outcomes tell a different story.

Among organisations that have either experienced a breach or conducted a tabletop exercise to test their incident response capabilities, 60 percent were significantly less resilient or experienced longer recovery than their score implied. In addition, only 37 percent believe their resilience scores accurately predicted their recovery performance.

Boards have increased focus on resilience, but misunderstanding remains

Norm’s research shows that cyber risk is now firmly on the boardroom agenda, with 27 percent of organisations naming it their top risk and a further 52 percent placing it in their top three. Yet the research highlights confusion at senior levels about what resilience actually means.

More than half of respondents (54 percent) say leadership often conflates being secure with being immune to downtime, while just 39 percent believe their board can clearly distinguish between preventing an attack and maintaining operations during one.

This disconnect is further reflected in confidence levels, with 92 percent of senior decision-makers describing their resilience as above average, compared with 72 percent of operational teams, who are responsible for day-to-day security.

Fragmented data, reactive decision-making, and ad hoc reporting

The research also reveals that the data required to accurately calculate cyber resilience is siloed across disparate tools and sources, include SOCs, SIEM, AV, email security, backup and cloud intelligence. Just 53 percent of technical leaders described their approach to managing cyber resilience as ‘data driven.’

There is also evidence that many organisations are taking a reactive approach to cyber resilience investment, with 74 percent of respondents saying spending is primarily driven by compliance requirements, 65 percent by security incidents, and 64 percent by external threats.

At the same time, half of organisations still rely on periodic assessments such as annual supplier audits and vulnerability checks, despite resilience being something that changes continuously as threats, systems and business operations evolve.

It is evident that there isn’t any recognisable and consistent means of measuring how resilient a company is. Nearly all respondents (92 percent) agreed that a single, continuous resilience score linking technical performance to business impact would be very or extremely valuable.

Framework compliance not translating into real resilience

Most organisations surveyed (79 percent) align with established cyber security and resilience frameworks, including Cyber Essentials, CAF, CIS Controls, ISO 27001, NIS2 and DORA. Around three-quarters (76 percent) adhere to more than one framework, with 20 percent aligning to four or more.

However, the research suggests that framework alignment alone is not giving organisations a complete or continuous view of resilience. Each framework has a different purpose and scope, meaning organisations may still be left with gaps in their understanding of operational readiness, recovery capability and business impact.

The National Cyber Security Centre’s Cyber Assessment Framework (CAF) is emerging as a likely foundation for future resilience measurement. CAF is expected to play a central role in helping companies meet the requirements of the upcoming UK Cyber Security and Resilience Bill, due to gain Royal Assent in late 2026. The new framework should also place organisations in a stronger position to withstand growing AI threats and deepfakes.

“When it comes to assessing their cyber resilience, businesses are basing their decisions on gut feel rather than empirical evidence,” said Paul Cragg, Chief Technology Officer NormCyber. “Reporting is incomplete, sporadic and misunderstood, and the result is companies think they’re in a better position to bounce back from an attack than they really are, which could have worrying consequences for them and for the wider UK economy.”

Cragg continued, “This overconfidence isn’t the fault of individual businesses. Existing cyber resilience frameworks have different strengths and weaknesses. If your business follows one or two, you might think you’re in a strong position but it’s inevitable there will be gaps. If you follow multiple frameworks, the danger is your security team is overwhelmed by compliance, spending more time box-ticking than managing risk.”

Norm’s Cyber Resilience Score is a quantified metric that measures an organisation’s cyber health and its ability to withstand and recover from a cyber incident. Built on CAF, it is designed to give organisations a more accurate view of their resilience, enabling them to benchmark against peers, track and improve performance over time, and provide clear evidence of return on investment in security. For more information, visit Norm Cyber Resilience Score | Measure & Improve Resilience.

Research overview & methodology

NormCyber commissioned Vision One to understand how UK organisations assess, communicate and govern cyber resilience at both leadership and operational levels. The research included 500 UK technology and security leaders from organisations with 500 to 5,000 employees and at least £100 million in annual revenue, across sectors including technology, financial services, manufacturing, retail and professional services. The research was undertaken across April and May 2026.

For further analysis of the findings together with actionable advice on how to measure and improve cyber resilience in the long-term, please download NormCyber’s new whitepaper ‘The Cyber Resilience Hallucination’.