SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guido
#
Malware
#
Data Protection
#
DR

Re-thinking cyber security from prevention to operational resilience

Fri, 20th Mar 2026
By Guido Grillenmeier, Principal Technologist, Semperis

For a long time, organisations focused their efforts on protecting the perimeter. Yet, the reality is that bad actors often don't 'break in'- they log in. By using stolen credentials, tokens or cookies, they can access critical systems while appearing legitimate.

Active Directory, first introduced in 2000, continues to underpin identity management for many organisations. Although it's a powerful platform, its complexity makes it difficult to secure completely. This leaves it exposed as a frequent target where attackers can exploit misconfigurations or weaknesses. With freely available tools, even a non‑expert can escalate privileges and take over an entire domain.

The situation becomes even more complex in hybrid environments. Virtually all organisations synchronise their on‑premises Active Directory with cloud environments such as Microsoft Entra ID. This means an attack that starts with phishing or malware on an endpoint can move rapidly into the cloud. Groups such as Storm‑0501 commonly follow this pattern; first, infiltrate the legacy environment, then obtain privileges in the cloud and establish persistence there.

RaaS fuels the ecosystem

The cybercrime landscape is evolving rapidly and professionalising. Where previously, technical expertise was required, Ransomware‑as‑a‑Service (RaaS) groups further fuel this ecosystem by offering turnkey attack packages. Initial access brokers sell entry to vulnerable systems on the underground market, often for a fraction of the potential damage inflicted.

A notorious example remains the attack on Colonial Pipeline, where stolen credentials from an external contractor were enough to shut down operations. This demonstrates that identity security is not just an IT issue but a strategic challenge that affects the entire organisation.

From prevention to resilience

Central to this shift is the move from prevention to building operational resilience. It's no longer only about keeping attackers out; above all, it's about being prepared for when they do get in. An important concept here is the Minimum Viable Company (MVC). This means that an organisation defines in advance which processes, applications, and infrastructure are necessary to keep running in a crisis. That can range from order and shipping systems in manufacturing to patient records in healthcare.

In a crisis, success doesn't depend on improvisation, but on preparation. Who has which role, which applications must come back online first, and how is communication organised: that must be determined and rehearsed in advance.

Many organisations have a recovery plan that simply stays on paper. Yet, without regular exercises, such a plan loses its value. Tabletop exercises - simulations of a crisis scenario without shutting down production - are essential. Perhaps it turns out that a critical application depends on another system, or that contact details aren't up to date. By practising periodically, the organisation's resilience grows.

AI for good and bad

Another significant trend is the rise of AI. Since ChatGPT emerged at the end of 2022, AI capabilities have accelerated dramatically. For security teams, AI offers opportunities to recognise patterns in vast volumes of log data and flag anomalies faster.

However, cybercriminals are using AI just as readily. Phishing emails are flawlessly translated and convincingly drafted. Deepfakes and real‑time voice imitation make social engineering more dangerous than ever. And while mainstream AI models resist generating malware, customised variants on the dark web now do so without restrictions.

Attackers operate without regard for ethics or compliance. That makes AI a powerful tool for them. For defenders, it means we must use AI to analyse the deluge of signals, while also considering the increase in false positives that puts SOC teams under pressure.

Cyber resilience culture change

Cyber resilience goes far beyond IT – it is a strategic business priority that demands attention at the executive level. Top‑down initiatives are essential. An effective crisis management plan requires sponsorship from the boardroom. It's not only about technology, but also about processes, communication and governance.

Building resilience requires clear policies on where critical information is stored, how keys and backups are secured, and which alternative communication channels are available if regular systems are compromised. Incidents in the field show that even Teams or Zoom conference calls can be eavesdropped on by attackers. Out‑of‑band communication channels are therefore crucial.

Security professionals are increasingly acting as catalysts for organisational change. They must not only implement technology but also change culture and mindset: from the illusion of total prevention to a realistic focus on robustness. Cyber resilience should become a KPI by which organisations are held accountable. Not whether you are hit, but how well you respond ultimately determines whether your organisation survives. While prevention remains important, but without resilience, you remain vulnerable.

Related stories
Black Box Automation vs. Engineer Control: The partnership redefining Kubernetes FinOps
Automotive microcontroller market set to hit USD $15.1bn
BlackBox Hosting partners Everpure for sovereign cloud
Locai Labs deploys AI coding assistant at First Light Fusion
Vodafone & Google Cloud launch AI & security tools

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack