A period of relative calm in cybersecurity can be deceptively dangerous. While regulatory progress and high-profile takedowns of major threat groups suggest improved resilience, attackers are quietly regrouping and evolving. As new actors adopt more disruptive tactics and AI-driven techniques, organisations risk mistaking compliance for preparedness. In this environment, complacency—not capability—may be the greatest threat to resilience.
No one enters the cybersecurity sector expecting serenity. The pace is relentless, and the stakes are high. According to the World Economic Forum, the weekly number of cyberattacks has more than doubled, now hovering just below 2,000. That figure might seem exaggerated until you consider how many high-profile breaches have made headlines recently – and those are just the ones we know about.
What’s more concerning is the speed at which attackers are evolving. AI, once a theoretical threat, is now a practical weapon. Phishing techniques have become disturbingly sophisticated, and attackers are even weaponizing chatbots to develop malicious code as they innovate at pace. Thankfully, governments have responded with commendable urgency. New regulations are emerging across the globe, and law enforcement has successfully dismantled several major threat groups. But these victories can be misleading. They create a sense of calm that’s not only temporary but dangerous. Cyber threats don’t vanish – they adapt.
No getting off this ride
The one constant in cybersecurity is change. Just last year, it seemed like the industry was on a big high, with major cyberthreat groups like LockBit, Black Cat, and Black Basta either being shut down, disappearing, or simply ceasing operations. Across Europe, we also saw two major cybersecurity regulations in the form of NIS2 and DORA, seeking to improve resilience for organisations in general, and for the particularly hard-hit financial sector. Some countries even took steps towards more decisive measures. In the UK, consultation was carried out on a potential ransomware payments ban for critical national infrastructure and public sector organisations. Taken alone, you could almost forgive organisations for thinking they could take their foot off the gas a little.
“The greatest risk organisations face today isn’t the lack of regulation or tools—it’s the false sense of security that comes from believing compliance alone equals resilience.”
Magnus Jelen, Lead Director of Incident Response UK & EMEA, Coveware by Veeam
But there have been plenty of lows too. In recent months, we’ve seen a spree of successful attacks across Europe, most notably targeting the retail sector. While ransomware payments might have dropped again, it doesn’t mean attackers are sitting back, relaxing. The takedown of established groups last year opened up room for smaller groups and even individual ‘lone wolves’. With these new attackers comes a whole new set of motives. Money might still be a driver, but many of these newcomers are more focused on targets that can cause the most disruption, rather than who might pay the biggest ransom. Today, you can split the market largely in two. Those high-cost, targeted attacks are still very much present, aiming at larger enterprises at deeper pockets. But on the other side, you’ve got volume-driven Ransomware-as-a-Service attacks, driven by those smaller groups and lone wolves, aiming to create as much chaos as possible.
So while on the surface, it might seem like an improved landscape, the same threats are still very much present, and new ones are already here.
Making the right choices
Luckily, regulation hasn’t just sat still in the face of this. As already mentioned, in the EU alone, we’ve had two major regulations, NIS2 and DORA, both targeting data resilience. NIS2 was particularly impactful, enshrining resilience squarely as a responsibility for the C-suite. No longer can organisations push resilience into the corner; now senior leadership must actively manage cybersecurity risks, making it as much of a business priority as profit and strategy. It also introduced new standards for organisational risk management and mitigation, and incident reporting in particular, an essential element with attacks on the rise. While DORA was restricted to the financial services sector, it addressed some of the most pressing issues, like third-party risk, in an attempt to bolster one of the most targeted sectors.
Despite the measures required being essential for developing mature data resilience that can withstand the current pressures from threat actors, compliance is easier said than done. Ahead of NIS2, 66% of organisations expected to miss the deadline for compliance, and six months on from DORA, 96% of EMEA financial services organisations still felt they needed to improve their resilience in order to meet the requirements.
With so much work needed to reach compliance, when organisations do reach that threshold, the response is often to stop. But it’s vital to remember that being compliant does not equal being secure.
Keeping moving
Right now, the sector is sitting in the middle of a perfect storm. Big-name takedowns are lulling organisations into a false sense of security, while new attackers emerge from the wings using new and improved tools. And, the focus on regulatory compliance is at risk of misleading organisations and obscuring the true scope of improvements that could be made to their data resilience.
In times like this, organisations need to turn their attention inwards. Rather than scrambling to react to attacks with one hand, while also trying to meet compliance deadlines and keep day-to-day operations running smoothly with the other, they should try a different approach.
Using data resilience maturity models, organisations can not only better understand their current data resilience level but also create a path to improve it. Instead of looking at every aspect of data resilience separately, these models bring them together, focusing efforts and creating a tide that lifts all boats, rather than the more typical patchwork approach to resilience.
With attacks more frequent than ever, and with attackers arguably as unpredictable as they’ve ever been, special attention also needs to be paid to recovery. While having mature data resilience should always be ‘plan A’, your recovery ‘plan B’ needs to be just as developed, if not more so. Data resilience is a journey that can’t be completed overnight, and attackers won’t wait until you get yours up to scratch before they strike.
Ask yourself – right now, how long would it take my organisation to recover from an attack? Take a long, hard look at the answer, and if you wouldn’t be able to wait that long without a severe business impact, perhaps you need to take a look at your recovery plan before the storm hits.
Bio of Author
Magnus Jelen is Lead Director of Incident Response for the UK & EMEA at Coveware by Veeam. With extensive frontline experience supporting organisations through high-impact cyber incidents, Magnus works closely with executive teams to improve preparedness, response, and recovery in the face of ransomware and other evolving threats. His work focuses on helping businesses move beyond compliance toward true operational resilience.
