The Real Cost of a Breach: What Every Board Should Know
by Kaylie Watts
When high-street names like M&S and Co-op, as well as luxury retailers like Harrods, fall victim to cyberattacks, it is a clear indication that no sector is immune to such threats. The idea that cybersecurity is just a technical issue for IT to manage is outdated. In today's climate, it is a business risk that belongs squarely in the boardroom. Many organisations still do not fully understand the real cost of a breach, nor the strategic shift required to build true cyber resilience. This article examines the broader implications of a cyberattack and outlines the steps every leadership team should take now to mitigate the threat.
Written by
Beyond the Numbers: What a Breach Really Costs.
The financial impact of a breach is not limited to the ransom payment or the cost of a forensics team. UK businesses now face an average breach cost of over £3.8 million. This figure excludes downtime, which can be even more damaging. Some estimates put the cost of downtime at over £4,000 per minute, meaning just one hour of disruption could cost more than £250,000.
Add to that the potential fines under the UK GDPR if data is not reported to the Information Commissioner's Office within 72 hours, and the reputational fallout from a poorly managed response; the total cost quickly escalates.
Why Boards Still Get It Wrong.
Despite the headlines, many boards continue to treat cybersecurity as a compliance checkbox or an operational line item. Three common misconceptions need to be addressed:
- Cyber insurance is not a safety net. While insurance may cover some losses, it cannot repair reputational damage or recover lost customer trust.
- Compliance does not equal security. Meeting minimum requirements is not the same as being secure. Sophisticated attackers know how to navigate around compliant systems.
- Technology alone is not enough. Even with strong tools in place, breaches still occur due to human error and inadequate internal processes.
Another area often overlooked is cultural readiness. In many cases, teams are not trained or empowered to act during an incident. This leads to slow response times, internal confusion, and greater exposure.
Real Lessons from Real Incidents.
In one recent high-profile case, the attackers were not part of a foreign state or organised crime ring. They were teenagers. They did not need to write sophisticated code or exploit unknown vulnerabilities. Instead, they called the helpdesk and impersonated legitimate users.
Once inside, they took advantage of a basic virtualisation platform that lacked monitoring. They created fake virtual machines using the same names as legitimate ones. Because nothing flagged it as unusual, they remained undetected for long enough to cause real damage.
The lesson here is simple. Identity is the new perimeter. If your verification processes, reset protocols, or monitoring systems are weak, your entire environment is at risk.
Resilience Over Compliance: The Strategic Shift.
Ticking a compliance box will not protect your business. The new priority is resilience. This means planning for when a breach happens, not if. It involves coordination between IT, legal, communications, HR, and the board.
Risk quantification also plays a significant role. When boards understand the real-world business impact of cyber threats, they are more likely to invest and take an active role in mitigating them. Security becomes a strategic priority rather than a technical afterthought.
Customer Trust Is Now a Security Metric.
Customers expect their data to be protected. When that trust is broken, the consequences can be lasting. But it is not just the breach that does the damage. The response matters as much.
Confusion, silence, or vague messaging can quickly escalate a situation. On the other hand, timely, honest, and transparent communication can help preserve relationships.
Cybersecurity is no longer a back-end function. It plays a visible and active role in shaping brand perception and customer experience.
The Role of Regulation and Personal Accountability.
Regulators are tightening their expectations. Under UK GDPR and sector-specific rules, executives may be held personally accountable for serious cybersecurity failures. The Financial Conduct Authority and the Information Commissioner's Office have both made it clear that a lack of awareness will not be accepted as an excuse.
This is why board-level oversight is critical. Executives must ensure they are adequately briefed, regularly updated, and actively involved in strategic decision-making. Directors and Officers insurance can help, but it is no substitute for robust governance.
Five Questions Every Board Should Be Asking.
To move from reactive to resilient, leadership teams should be asking:
- How confident are we in our ability to detect and respond to a breach within 24 hours?
- Are our identity and access controls as robust as our perimeter defences?
- Do we conduct regular incident response exercises with executive involvement?
- Where is our most significant exposure, and are we investing proportionately in it?
- Is our cyber strategy aligned with business outcomes, not just IT performance indicators?
Final Thoughts: Security Is a Leadership Issue.
Cybersecurity is not just about technology. It is about trust, continuity, and long-term viability. Boards cannot afford to treat it as someone else's job. They must lead from the front.
At Bechtle, we support leadership teams in building pragmatic, tailored cybersecurity strategies. If your boardroom is unsure where to begin, we can help you shape a clear plan that prioritises outcomes, aligns to business goals, and strengthens resilience.
Contact Bechtle to discuss how we can support your security strategy and help protect your business from the inside out.