Cyber security isn't just about tools and systems. Engaged and confident people play a major role in protecting our organisation and making it safer and harder to compromise. This series invites you to boost your essential cyber security knowledge and reinforce best practices in our workforce. Together, we can continue building a positive security culture where everyone feels responsible for protecting our data.
2025 proved to be a watershed year for cyber security in the UK. The question for businesses has shifted from “if” they will be targeted, to “when”, and how quickly they can recover.
The sophisticated attacks that crippled household names like M&S, Harrods, the Co-op, and Jaguar Land Rover serve as a brutal lesson: a strong perimeter is no longer enough. These incidents showcased three critical vulnerabilities:
| Vulnerability | What it looks like | Why it matters |
| Supply chain exposure | Third parties with access become the entry point | Your security posture is only as strong as your weakest vendor |
| The human element | Social engineering and helpdesk compromised | A single identity failure can escalate into full business disruption |
| Operational disruption (OT impact) | Attacks halt production and core services | Threat actors aim for maximum downtime, not just stolen data |
The Harrods incident, in both May and September, where up to 430,000 customer records were exposed via a third-party provider, demonstrated that an organisation's security posture is only as strong as its weakest vendor. Similarly, JLR’s major disruption rippled across its extensive automotive supply chain.
M&S was hit by a major ransomware attack believed to have begun with social engineering that tricked an IT help-desk employee or third-party contractor into granting access. This single point of failure caused the suspension of online orders and impacted in-store payments for weeks. Similarly, the Co-op was breached by similar tactics in April.
The JLR attack was particularly stark, forcing the shutdown of its global IT and production systems. This confirmed the shift in focus for threat actors from merely stealing data to achieving maximum operational disruption, proving that a digital breach can halt a physical production line.
The common thread running through major 2025 breaches was the highly effective cybercriminal group, Scattered Spider (also known as Octo Tempest). This group redefined the entry point for major breaches, not through complex zero-day exploits, but through compromising the human element.
Scattered Spider is composed of native English speakers, enabling them to execute highly sophisticated and persistent vishing (voice phishing) and social engineering attacks. They target IT help desks and corporate communication channels, impersonating employees or privileged users to trick staff into resetting passwords or transferring Multi-Factor Authentication access to a device they control.
Beyond the headline attacks, the threat landscape has been reshaped by rapid technological and tactical evolution. The mainstreaming of generative AI tools has lowered the barrier to entry for cybercrime.
Threat actors are now leveraging AI for:
Attacks focusing on compromised identities have surged. This includes exploiting identity and access management systems and the persistent use of social engineering to bypass Multi-Factor Authentication or gain initial access.
By compromising a single identity, threat actors gain access, bypass perimeter security, and then escalate privileges rapidly to deploy ransomware and execute double extortion schemes, encrypting systems and threatening to leak sensitive data.
Ransomware groups have adopted a highly professional, service-based model. They specialise in high-leverage targets like critical infrastructure, where the pressure to pay for operational continuity is immense.
Many now operate Ransomware-as-a-Service (RaaS), where creators license malware tools and infrastructure to affiliates in exchange for a fee. It operates like a standard Software-as-a-Service model, but with malicious intent. This lowers the barrier to entry and increases the volume of attacks, making threats more widespread and difficult to track.
Despite advances in AI, it still struggles to render real-world physicals and human expressions. ESET released guidance outlining essential signs to look for when spotting deepfakes. Click the button below to learn more.
The incidents of 2025 highlight that the focus must shift from pure prevention to holistic resilience, planning not only to stop the attack, but to contain it rapidly when it inevitably succeeds.
Following on from Edition 1, the most powerful defence remains the trained employee.
Reduce exposure by vetting the ecosystem.
In a world where disruption is the primary weapon, the speed of recovery is key, and adopting the principle of Zero Trust is essential. The NCSC published a guide on Zero Trust, available here.
The sustained operational disruption and financial impactof 2025 mark a permanent strategic pivot. Cyber resilience is no longer just an IT function; it is directly tied to operational continuity.
Organisations should focus on:
The incidents of 2025 confirm that cyber resilience is now a business-critical, executive-level-led responsibility. With a proactive focus on human training, supply chain security, and rapid recovery, organisations can shift from reactive targets to architects of robust cyber resilience.
Visit the NCSC's 10 Steps to Cyber Security to explore best-practice recommendations and additional guidance.