Gavin Millard, VP of Intelligence, Tenable breaks down eight actionable steps organisations should do to tackle cyber attacks
It took just one cyberattack to bring down Knights of Old, a logistics firm with 150 years of history behind it. The breach forced the company into administration, leaving no room for recovery and no opportunity for a second chance. TravelEx, once a global currency exchange brand, collapsed after a ransomware attack disrupted operations in 30 countries. MediSecure, an Australian e-prescription provider, suffered a breach affecting nearly 13 million people. The fallout led to a failed bailout request and the company’s entering administration. Even Discord.io, a niche tech firm, shut down after hackers accessed its customer database. The reputational damage alone was enough to cease operations.
These cases are not isolated, they are part of a deeply concerning trend that is shaping the cybersecurity landscape.
Why are cyber attacks potentially fatal?
Unlike attacks of old, today’s threat actors aren’t just stealing data, they’re aiming to create as much disruption to operations as possible to make the attackers’ demands seem an easy way out. Ransomware campaigns, supply chain compromises, and zero-day exploits are engineered to bring businesses to a standstill. For SMEs, even a short disruption can mean permanent closure.
For organisations, their digital footprint has expanded rapidly, extending the attack surface that needs to be defended. From Cloud platforms, IoT devices, and remote work infrastructure, each wielding convenience and capability, they also introduce risks.
For small and medium-sized enterprises, often operating with limited resources and overstretched teams, keeping pace with this growing attack surface is a constant challenge.
What needs to change
Many organisations remain stuck in a reactive posture, hoping defensive security tools will stop a breach in flight rather than proactively addressing the flaw attackers will target before they are leveraged.
Proactive security tools are often deployed, but without a cohesive strategy, organisations struggle to knit together the information these tools unearth – which assets are exposed, which vulnerabilities pose real risk, or which identities have excessive permissions. The result is a blurred view of the attack surface, an over reliance on defensive tools and a failure to spot the toxic combinations that attackers exploit.
Security teams may surface thousands of issues, but without clarity on which ones threaten core operations, remediation becomes guesswork. That leads to wasted effort, missed priorities, and increased exposure, exactly the conditions that allow a breach to become a business-ending event.
Without context, coordination, and accountability, both proactive and reactive security tools offer little defence.
Bring it all together
Cybersecurity is no longer a technical concern confined to the IT department — it’s a strategic issue that demands attention at the highest levels of leadership. Business continuity, reputation, and financial stability hinges on how well organisations address their cyber risks.
There is a distinct correlation between reacting to cyber threats and taking a preventative stance that increases the businesses resilience, especially important for SMEs. Here are eight steps to level up your organisations defences:
1. Map your digital assets
Start with visibility. Conduct a full inventory of your digital environment, including cloud platforms, IoT devices, operational technology, and third-party integrations. Know what you own, where it resides, and how it connects. Without this baseline, risk remains invisible.
2. Identify what matters most
Determine which systems support critical operations, which identities have elevated privileges, and which data is most sensitive. This business context is essential for prioritising risk effectively and will inform your incident response plans.
3. Prioritise based on impact, not volume
Move beyond generic severity scores and focus on exposures that could disrupt operations or damage reputation. This uncovers your attack paths, toxic combinations of vulnerabilities and misconfigurations, combined with the likelihood of exploitation. Not just playing wack-a-mole with CVEs. As illustration, when a highly exploited vulnerability is disclosed, knowing where in the infrastructure it resides linked to which critical systems allows timely remediation before it can be targeted by threat actors.
4. Break down silos
Cyber risk doesn’t respect organisational boundaries. Ensure IT, security, and business units are aligned. Create shared workflows for remediation, with clearly defined roles and responsibilities, as a fragmented response leads to missed opportunities and delayed action.
5. Set measurable goals
Establish service-level expectations for remediation and track progress. Whether it’s patching timelines, access reviews, or incident response readiness. Define what success looks like and hold teams accountable.
6. Review and adapt regularly
Cyber threats evolve, and so should your strategy. Schedule regular reviews of your risk posture, update asset inventories, and refine prioritisation criteria. Treat cybersecurity as a living process, not a one-off project.
7. Elevate cyber risk to the boardroom
Ensure cyber risk is reported alongside financial and operational metrics. Boards should understand the organisation’s exposure, the potential impact of a breach, and the steps being taken to mitigate it. This isn’t about technical detail; it’s about business risk.
8. Dust off your incident and disaster recovery plans
If the worst happens and a breach occurs, having an up to date plan of action is critical in reducing the time to recovery. Response to breach should be a well oiled machine with defined roles and responsibilities, a communication strategy and runbooks for getting critical systems up and running to get the business back on track without losing creditability.
These steps don’t require a complete overhaul overnight, but they do require commitment, coordination, and a shift in mindset. Cybersecurity is no longer just about reactive defence, it’s about proactive resilience, and that starts with knowing what matters, acting on what’s urgent, and aligning security with business priorities.
Gavin Millard is the Deputy Chief Technology Officer and Vice President of Market Insights at Tenable, a cybersecurity firm. With over two decades of experience in the cybersecurity industry, Gavin is a trained ethical hacker who specialises in helping medium and large enterprises reduce their attack surface and improve their cyber resilience.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.
