​Cybersecurity in 2025: Expert Insights from Matthew Downes, IT Director at Scala

The More People Podcast continues to explore career insights and industry expertise. In the second part of our conversation with Matthew Downes, IT Director at Scala, we dive into one of the most pressing topics for businesses today: cybersecurity. From high-profile breaches to practical strategies for protecting your business, Matthew gives a detailed look into the ever-evolving cyber landscape.

A Growing Threat Landscape

2025 has already highlighted how vulnerable even major corporations are to cyberattacks. Companies like Marks & Spencer and Jaguar Land Rover have made headlines after incidents that caused major operational disruptions.

Matthew explains the scale of the threat:

• A global cybersecurity attack occurs approximately every 39 seconds.

• In the UK, this translates to around 65,000 attempted breaches daily, with 4,500 achieving some level of success.

• 43% of companies reported a cybersecurity breach in 2024, ranging from GDPR violations to more serious incidents.

• The average cost of a cyber incident is $4 million, including IT recovery, lost business, and reputational damage.

• Human error is the underlying cause in over 90% of incidents, and in some cases, paying ransomware does not guarantee recovery - 1 in 4 companies never get their data back.

“Even small businesses are at risk. Cybersecurity isn’t just about firewalls or software, it’s about people, processes, and planning,” Matthew emphasises.

The motivations behind attacks are diverse, including organised crime groups, lone hackers, and even nation-state actors. Some attacks originate from regions outside the reach of Western law enforcement, making prevention and preparedness even more critical.

Why Cyber Attacks Are So Effective

Matthew explains that IT systems are complex, layered, and often built on decades-old technology. Many modern networks rely on legacy systems that were never designed with cybersecurity in mind.

• The internet itself was originally conceived as a “nuclear-proof communication system,” designed to break messages into packets to ensure communication could continue even if parts of the network were destroyed.

• Many protocols, email headers, and automation systems trace back to this legacy, leaving inherent vulnerabilities.

• The consumerisation of cyberattack tools has made advanced techniques accessible even to small-scale hackers. Some companies even sell software marketed as training tools that can be used maliciously.

“You might assume that FTSE 100 companies are prime targets because of their resources, but smaller businesses are equally at risk. Cybersecurity is a wild west - there’s no simple solution,” Matthew says.

Matthew shares his personal experience witnessing cyber incidents firsthand in corporate environments, noting how attacks often cascade: production lines stop, orders can’t be fulfilled, and systems must revert to manual processes. Once IT systems are restored, businesses often face a “cold start,” with data needing to be reconciled or rebuilt, sometimes from weeks earlier.

Lessons Learned from High-Profile Incidents

Even with advanced security measures like Cyber Essentials and external IT support, businesses can still fall victim to attacks. Matthew notes that human factors remain a critical vulnerability:

• Mobile devices and weak two-factor authentication can be exploited.

• Phishing attempts are increasingly sophisticated and can bypass standard protections.

• AI is now being used by hackers to generate convincing messages, making training and vigilance essential.

“You can’t just rely on systems. People are often the weakest link, so education, testing, and awareness are critical,” Matthew explains.

Best Practices for Businesses

Matthew shares actionable advice for protecting businesses from cyber threats. These strategies combine technology, training, and ongoing assessment:

1. Training and Testing – Employees need to recognise phishing attempts, suspicious links, and social engineering. Simulated attacks help reinforce training and reveal vulnerabilities across teams.

2. Vulnerability Scanning – Regularly scan systems for weaknesses. These should be prioritised based on criticality, with senior management receiving reports as part of business KPIs, similar to health and safety reporting.

3. Backups and Recovery Planning – Backups are only as good as your last successful restore test. Companies must practice restoring systems to ensure continuity in the event of a cyber incident.

4. Data Encryption – Encrypt sensitive information, whether in emails or spreadsheets, to ensure that even if attackers gain access, the data remains protected.

5. Monitor Emerging Threats – AI is a double-edged sword. While businesses can leverage AI for productivity, hackers also use it to craft more convincing phishing messages and bypass traditional detection methods.

“The environment is constantly evolving. Cybersecurity is an ongoing challenge, not a one-time fix. Treat it like health and safety - proactive, visible, and continuously reviewed,” Matthew advises.

The Role of AI in Cybersecurity

Matthew also touches on how AI intersects with cyber threats. Just as AI tools like ChatGPT and Microsoft Copilot are transforming businesses, hackers are using AI to improve the sophistication of attacks. This makes training and proactive defenses even more essential.

“AI can craft highly convincing messages that are difficult to distinguish from legitimate communications. Businesses need to understand these risks and build resilience around people, processes, and technology,” Matthew explains.

Key Takeaways

Cybersecurity is not just a technical issue - it’s a strategic business challenge. Companies of all sizes must:

• Recognise the evolving threat landscape.

• Invest in employee training, testing, and awareness.

• Continuously scan for vulnerabilities and prioritise remediation.

• Regularly test backup and recovery systems.

• Monitor emerging technologies and adapt defenses proactively.

“Cybersecurity incidents can have massive financial and reputational consequences, but with awareness, planning, and the right approach, businesses can mitigate risks and remain resilient,” Matthew concludes.