Feel like listening instead? There's a recording of two people discussing the content of this article (it might not be obvious at first, they are actually AI!)

‍

Here's some scary news. A new UK report found that 85% of businesses that get hacked face phishing attacks. Each attack costs about £10,000 on average. But here's the weird part—fewer company bosses actually care about cybersecurity now than they did in 2021.

This is really bad timing. Hackers can now break into your computer systems and spread everywhere in just 48 minutes using modern technologies like Gen AI. The fastest one did it in 51 seconds. So, waiting to fix security problems in your software is like waiting to put on a seatbelt until after you crash.

The old way: Fix security problems after you build your software

Most companies do software security completely backwards. Here's how it usually works:

1. Build your app or website

2. Spend months coding everything

3. Right before you launch, test for security problems

4. Find huge problems that need fixing

5. Panic because fixing them means rewriting lots of code

It's like building a house and then realizing you forgot to put in a foundation. Now you have to tear down walls and start again.

The OWASP Top 10 (the biggest list of web security problems) even has a category called "Insecure Design" that says: if you design your software wrong from the start, perfect coding can't fix it. Don’t treat security as an additional cost but as an integral and crucial part of your software.

The better way: Build security into your software from day one

There's a smarter approach called "shift-left security." Don't worry about the fancy name—the idea is simple.

Instead of adding security at the end of software development, you think about it from day one. It's like:

• Building a house with a strong foundation instead of trying to add one later

• Wearing a helmet while riding a bike instead of putting one on after you crash

• Checking your code for problems while you're writing it instead of waiting until launch day

Here's what this looks like in software development:

• Everyone on your development team thinks about security, not just the IT person

• You test for security problems while you're coding, not after

• You design your software to be secure from the beginning

Why this saves you serious money

The numbers from the UK Cyber Security Breaches Survey 2025 and security research are pretty clear:

You save tons of money

• The UK report shows the average disruptive breach costs £3,550 (£10,000 for fraud cases)

• But globally, it's much worse: The average data breach now costs $4.88 million (about £3.9 million) - that's a 10% jump from last year  

• Skills shortage makes it worse: Companies without enough security staff pay an extra $1.76 million on average  

• Bad training costs you: Companies with poor employee security training face breach costs of $5.10 million vs. $4.15 million for well-trained teams  

• Late detection is expensive: Breaches that take over 200 days to fix cost $5.46 million vs. $3.61 million for faster fixes

You lose money two ways

1. Direct costs: Emergency fixes, system downtime, legal fees, and regulatory fines

2. Reputation damage: Lost customers and broken trust, especially if you handle personal data like credit card info or health records

The OWASP Top 10 warns that poor security design can't be fixed later—you have to rebuild, which destroys budgets and timelines.

When security is built into your development process, you don't get those "oh no, we found a huge security hole" moments right before launch. Your releases happen on schedule.

The UK study shows that small businesses are getting better at this—48% now do security risk assessments (up from 41% last year). Companies that plan security from the start avoid most of these costly incidents.

What does this mean? Every pound you spend on early security in development saves you several pounds later. You're not just buying protection—you're buying predictable software releases and customer trust.

The big problem: Nobody's in charge of software security

Here's where things get really concerning. UK businesses are making some big mistakes with software security:

Company leaders have many critical priorities competing for their attention. Cybersecurity responsibility at the board level has dropped from 38% to 27% in just a few years. Most board meetings have maybe one person who understands how software security works, which can make it challenging to make informed decisions about security investments and priorities.

Developers are getting wrong advice

• 25% of companies ask outside consultants for security advice

• Some small businesses ask their "tech-savvy" cousin for help with software security

• Only 24% know about official government security guidance for software development

32% of companies train their development teams after getting hacked, but only 19% train them regularly. It's like teaching someone to code securely after their app has already been compromised.

Most businesses don't know about free government security programs for software development:

• Only 24% know about Cyber Aware

• Only 12% know about NCSC's 10 Steps to Cyber Security

• Only 12% know about Cyber Essentials

What does this mean? Your software security is only as good as your weakest developer or design decision. To fix this in your development process, you need to:

• Make sure your leaders understand software security risks

• Train your development team regularly on secure coding, not just after something bad happens

• Use official government guidance for secure software development

Don't wait until your software gets hacked

Remember those 48 minutes? When hackers get into your software, you have less than an hour before they're everywhere in your system. If you didn't build security into your development process from the start, those 48 minutes are basically game over.

The software companies that do well aren't the ones spending the most money on security tools. They're the ones who made security part of how they write code from day one.

Want to check if your software development is secure?

Don't guess whether your development process and software are secure. Get someone to check your code, development practices, and existing applications. They'll find problems before they become expensive disasters and help you build security into how your team develops software.

Get a security audit of your software development process - Because 48 minutes is way too short to save your business, but plenty of time to lose it.

Stop thinking of security as something you have to buy and start thinking of it as something that makes your software better. You'll save money, protect your customers' data, and sleep better at night.

‍

‍