Every I.T leader knows the mantra: “We’re too small. We’re not on their radar. Why would they hit us?”

That sort of thinking is optimism bias in action—believing bad things happen to others, not to you. But the data tells a different story. In the UK, the risk isn’t “maybe” or “if” — it’s “when”.

The Cold, Hard Numbers

According to the NCSC’s Annual Review 2025, between September 2024 and August 2025:

There were 204 nationally significant cyber incidents—up from just 89 the previous year, representing a 130% increase.

Of those, 18 incidents were classified as “highly significant” (Category 2) — a roughly 50% year-on-year rise.

In that same period, the NCSC assisted with 429 cyber incidents in total—of which nearly half were nationally significant.

The NCSC warns: “Cybersecurity is now a matter of business survival and national resilience.”

If you’re thinking “that only applies to the big FTSE companies” — think again. The surge shows every organisation is at risk.

‍

Optimism Bias: Your Hidden Vulnerability

Optimism bias isn’t just about wishful thinking. In the context of cyber it must be taken seriously, because:  It drives inaction. “We’ve never been hit” becomes the justification for delaying reviews, skipping tests and ignoring updates.

It breeds complacency. Thinking “we’re safe” means you’re less likely to treat cyber as a board-level issue or embed it into your contingency plans.

It blinds you to real risk. Just because you haven’t been attacked yet doesn’t mean you won’t. The NCSC data proves attackers are switching targets fast.

It elevates cost. When you wait until an incident happens, the financial, operational and reputational cost is much higher than proactive defence.

‍

Why the Threat Landscape has Changed

Attackers are no longer just looking for the big fish. The rise in “nationally significant” incidents shows they’re targeting organisations based on vulnerability, not just size.

State-linked and highly capable adversaries are increasingly active. The NCSC highlights Chinese and other actors as “highly sophisticated and capable”.

Ransomware, supply-chain attacks and attacks on critical services mean the risk is not just data loss—it’s business disruption, reputational damage and national economic risk.

‍

Five Signs Your Organisation Might Be Underestimating the Risk

1. “We’ve never had a serious incident”: Using past absence of incident as proof of future safety is dangerous.

2. Cyber is still “an I.T problem”: If cyber remains behind the scenes rather than at the boardroom table, you are creating a blind spot.

3. Back-ups are taken for granted: The assumption “our backups will be fine” without regular testing is a form of optimism bias.

4. You rely on size or niche as protection: “We’re too small / we’re in a niche market” doesn’t make you invisible to attackers—they follow the weakest link.

5. You react rather than plan: If you only talk about “what happens if we get hit” instead of rehearsing “what happens when we do”, you’re behind the curve.

‍

How to Break Free from Optimism Bias and Build Real Resilience

Challenge the narrative: Ask “What if we are hit tomorrow?” and walk through the business impact: downtime, loss of trust, customer breach.

Bring cyber into the boardroom: Cyber = business risk. Make sure senior leadership own it, not just the I.T team.

Test regularly: Back-ups, disaster recovery, incident response plans—all need to be tested under pressure.

Adopt an adaptive stance: Threats evolve; your defences must too. Embedded monitoring, proactive patching, supplier hygiene.

Think beyond perimeter: With hybrid working and cloud, the old “castle moat” model is gone. The attack surface is wider, and the weakest link might be anywhere.

‍

How Synapse Can Help You Get Real About Cyber Risk

At Synapse, we believe cyber-resilience isn’t about hype, it’s about doing the fundamentals very, very well:

Backup-as-a-Service: Automated, immutable, tested backups so you don’t hope—you know you’re covered.

Cyber Protection-as-a-Service: Real-time monitoring, threat detection, responsive remediation—removing the “what if” from your plan.

Disaster Recovery-as-a-Service: Minimise downtime, keep your business running even when systems go down.

Adaptive Cloud: Cost control, agility, compliance—so your infrastructure works with your security strategy, not against it.

We’re your pragmatic, trusted advisor—not the vendor with the loudest marketing, but the one who helps you sleep at night.

‍

Don’t Wait Until It’s Too Late

Optimism bias feels comfortable, but comfortable is not safe. The time to act was yesterday. The second-best time is now.

Talk to our Synapse team today  and let’s shift you from believing “They’d never hit us” to preparing “If they do hit us, we’ll be ready.”

‍