By Chris Dimitriadis, Chief Global Strategy Officer, ISACA
Recent cyber attacks on major UK retailers have made national headline news, giving business leaders a wake-up call. In the financial sector, which plays a key part in the wider economy and affects day-to-day life, the risks are especially pertinent.
These high-profile attacks show how fast cybersecurity can escalate from being low on the agenda to a business-critical crisis. The financial sector cannot afford to treat such events as isolated. They reflect a broader problem: rising cyber insecurity and a lack of embedded digital resilience across much of the corporate landscape.
The financial sector is underprepared for rising threats
While incidents like these raise awareness, too many businesses still fail to treat cyber resilience as a strategic priority. ISACA’s recent research reveals persistent gaps, particularly around data protection – a core concern for finance professionals.
Our State of Privacy 2025 report shows that just 38% of business leaders feel confident in their ability to safeguard sensitive data. This is particularly striking given the volume and sensitivity of customer data managed by financial institutions. And the damage extends beyond the immediate economic impact – Hiscox’s latest Cyber Readiness survey found that 47% of breached companies had difficulty attracting new customers, proof that reputation is a crucial business concern.
Meanwhile, cyber risk is rising. ISACA’s State of Cybersecurity 2024 study found that a worrying 58% of professionals expect their organisation to experience an attack in the coming year. Attacks are growing in sophistication, often exploiting not just technology but also human behaviour. In recent high-profile attacks, hackers gained access via human error, demonstrating how even well-resourced organisations remain vulnerable to basic lapses.
Many firms still see cybersecurity as a technical issue, rather than a fundamental element of business resilience. That mindset must change.
Cybersecurity is everyone’s responsibility
Financial professionals are familiar with managing risk, but many aspects of cyber vulnerability continue to fall in the domain of IT teams. In reality, every employee, from senior leadership to front-line staff, plays a role in an organisation’s cyber protection.
Yet many organisations remain underprepared. According to ISACA’s State of Cybersecurity 2024 report, 61% of cybersecurity professionals say their teams are understaffed, and over half (52%) report being underfunded. This shortage of capacity often means essential training and awareness efforts across the wider organisation are deprioritised, leaving businesses more vulnerable to social engineering and human error, two of the most common attack vectors.
This lack of preparedness not only increases the likelihood of attack, it also makes recovery harder. Rebuilding trust, securing operations, and restoring continuity all depend on a workforce that’s equipped and informed.
This is especially important in an era of digital dependence. Financial institutions are increasingly integrated with vendors, cloud services, and partner platforms. A single weakness in the supply chain can compromise multiple organisations. Resilience is no longer just an internal concern, it’s a shared responsibility across the ecosystem.
Audit reform must account for cyber risk
For the UK’s financial sector to become genuinely resilient, we need structural reform: starting with how organisations are held accountable for managing digital risk. That’s why ISACA collaborated with the Chartered Institute of Internal Auditors, and other key signatories, to write to the Secretary of State for Business and Trade earlier this year, calling for cyber risk to be incorporated into audit legislation.
Currently, corporate audits still fail to consider cybersecurity as a core area of business risk. Expanding audit frameworks to include digital threats would improve visibility and assurance while embedding a culture of proactive risk management across organisations.
This would bring the UK into line with global peers. In the US and EU, new frameworks are already being developed to standardise cyber governance and improve accountability. The UK must keep pace to remain competitive, resilient, and trusted.
Building resilience before policy catches up
While legislative reform is essential, businesses shouldn’t wait to act. Tools like the UK’s Cyber Governance Code of Practice, mapped to ISACA’s COBIT framework, offer an accessible starting point. This guidance gives leaders clear actions to follow to integrate digital vulnerability into core operational strategy.
More broadly, investment in training, cross-departmental collaboration, and improved audit capability will be key. Cybersecurity must be understood as a strategic business priority – one that supports technological innovation, protects assets, and strengthens consumer trust. To justify stronger budgets, return-on-investment calculations should use more data from the industry, linking cybersecurity not only to risk mitigation but also to competitiveness, as digital has become a key influencer of customer trust.
The message for financial organisations is simple: continually improving resilience is key. This is a regulated industry which is no stranger to cyber controls, but at the same time, it is a prime target for adversaries who use increasingly sophisticated techniques to achieve their aims. In an age of cyber insecurity, those who lead on trust and preparedness will be best placed to thrive.
