Skip to content
  • There are no suggestions because the search field is empty.

Edition 2 - Current Threat Landscape and Response Plans

Edition 2 - Current Threat Landscape and Response Plans
7:58

Cyber security isn't just about tools and systems. Engaged and confident people play a major role in protecting our organisation and making it safer and harder to compromise. This series invites you to boost your essential cyber security knowledge and reinforce best practices in our workforce. Together, we can continue building a positive security culture where everyone feels responsible for protecting our data.

Key focus: Lessons from 2025’s Breaches,  the Year the Giants Fell 

2025 proved to be a watershed year for cyber security in the UK. The question for businesses has shifted from “if” they will be targeted, to “when”, and how quickly they can recover.

The sophisticated attacks that crippled household names like M&S, Harrods, the Co-op, and Jaguar Land Rover serve as a brutal lesson: a strong perimeter is no longer enough. These incidents showcased three critical vulnerabilities:

Vulnerability What it looks like Why it matters
Supply chain exposure Third parties with access become the entry point Your security posture is only as strong as your weakest vendor
The human element Social engineering and helpdesk compromised A single identity failure can escalate into full business disruption
Operational disruption (OT impact) Attacks halt production and core services Threat actors aim for maximum downtime, not just stolen data

Supply Chain Exposure

The Harrods incident, in both May and September, where up to 430,000 customer records were exposed via a third-party provider, demonstrated that an organisation's security posture is only as strong as its weakest vendor. Similarly, JLR’s major disruption rippled across its extensive automotive supply chain.

The Human Element

M&S was hit by a major ransomware attack believed to have begun with social engineering that tricked an IT help-desk employee or third-party contractor into granting access. This single point of failure caused the suspension of online orders and impacted in-store payments for weeks. Similarly, the Co-op was breached by similar tactics in April.

Operational Technology (OT) Impact

The JLR attack was particularly stark, forcing the shutdown of its global IT and production systems. This confirmed the shift in focus for threat actors from merely stealing data to achieving maximum operational disruption, proving that a digital breach can halt a physical production line.

At the Centre of the Web: Scattered Spider’s Social Engineering Masterclass

The common thread running through major 2025 breaches was the highly effective cybercriminal group, Scattered Spider (also known as Octo Tempest). This group redefined the entry point for major breaches, not through complex zero-day exploits, but through compromising the human element.

Scattered Spider is composed of native English speakers, enabling them to execute highly sophisticated and persistent vishing (voice phishing) and social engineering attacks. They target IT help desks and corporate communication channels, impersonating employees or privileged users to trick staff into resetting passwords or transferring Multi-Factor Authentication access to a device they control.

AI has lowered the barrier to entry

Beyond the headline attacks, the threat landscape has been reshaped by rapid technological and tactical evolution. The mainstreaming of generative AI tools has lowered the barrier to entry for cybercrime.

Threat actors are now leveraging AI for:

  • Hyper-Realistic Deepfakes: using AI-generated audio or video in CEO fraud.
  • Automated Phishing: crafting convincing, context-aware emails at scale.
  • Mutating Malware: writing code that adapts to avoid static detection.

Identity and Credential Theft

Attacks focusing on compromised identities have surged. This includes exploiting identity and access management systems and the persistent use of social engineering to bypass Multi-Factor Authentication or gain initial access.

By compromising a single identity, threat actors gain access, bypass perimeter security, and then escalate privileges rapidly to deploy ransomware and execute double extortion schemes, encrypting systems and threatening to leak sensitive data.

The Professionalisation of Ransomware-as-a-Service (RaaS)

Ransomware groups have adopted a highly professional, service-based model. They specialise in high-leverage targets like critical infrastructure, where the pressure to pay for operational continuity is immense.

Many now operate Ransomware-as-a-Service (RaaS), where creators license malware tools and infrastructure to affiliates in exchange for a fee. It operates like a standard Software-as-a-Service model, but with malicious intent. This lowers the barrier to entry and increases the volume of attacks, making threats more widespread and difficult to track.

The Visual and Audio Tells: How to Spot Deepfakes

Despite advances in AI, it still struggles to render real-world physicals and human expressions. ESET released guidance outlining essential signs to look for when spotting deepfakes. Click the button below to learn more.

Essential Mitigation Strategies for Businesses

The incidents of 2025 highlight that the focus must shift from pure prevention to holistic resilience, planning not only to stop the attack,  but to contain it rapidly when it inevitably succeeds.

1. Strengthen the Human Firewall (Targeting Social Engineering)

Following on from Edition 1, the most powerful defence remains the trained employee.

Key actions:

  • Enforce MFA on all critical systems (email, VPNs, privileged accounts).
  • Implement phishing-resistant MFA to counter social engineering and SIM-swap attacks. The NCSC published useful information on enhanced MFA methods, available here.
  • Move beyond basic phishing tests and adopt strict verification protocols for high-value transactions (e.g. mandatory call-back on a known number for any fund transfer request).

2. Master the Supply Chain (Targeting Third-Party Risk)

Reduce exposure by vetting the ecosystem.

Key actions:

  • Conduct regular security audits of all third-party vendors (proportionate to access level).
  • Strictly limit third-party account permissions to what's necessary.
  • Isolate third-party access to reduce lateral movement across core environments.

3. Operationalise Response and Recovery (Targeting Downtime)

In a world where disruption is the primary weapon, the speed of recovery is key, and adopting the principle of Zero Trust is essential. The NCSC published a guide on Zero Trust, available here.

Key actions:

  • Assume no user, device, or system is inherently trustworthy.
  • Maintain offline, tested backups that cannot be encrypted by live ransomware.
  • Maintain a detailed, rehearsed Incident Response Plan with clear escalation paths.

The New Mandate: Cyber resilience is business resilience

The sustained operational disruption and financial impactof 2025 mark a permanent strategic pivot. Cyber resilience is no longer just an IT function; it is directly tied to operational continuity.

Organisations should focus on:

  • Adopting Zero Trust: the weakest link is often identity or third-party access.
  • Rapid detection, containment, and recovery:  100% prevention is unfeasible.
  • Enforcing phishing-resistant MFA and out-of-band verification protocols.

The incidents of 2025 confirm that cyber resilience is now a business-critical, executive-level-led responsibility. With a proactive focus on human training, supply chain security, and rapid recovery, organisations can shift from reactive targets to architects of robust cyber resilience.

Learn More

Visit the NCSC's 10 Steps to Cyber Security to explore best-practice recommendations and additional guidance.