While company executives reassured stakeholders with familiar refrains of 'swift action' and 'no card data lost' throughout 2025's major breaches, the technical reality being managed several layers below told a different story. The gap between public messaging and operational truth has never been wider, and that gap is where the next generation of cyber risk is taking root. Let’s discuss:
The first half of 2025 marked a significant evolution in the cybersecurity threat landscape. Notwithstanding the profound evolution brought about by AI (some might argue ‘revolution’ – as discussed before) some of the UK's most recognisable organisations, ranging from supermarkets to luxury retail, automotive, and telecommunications, have faced public and high-impact cyberattacks.
News headlines, as usual, focused on outages, customer disruption, and speculation about ransom demands, while public statements leaned on standardised scripts: "swift action," "no card data lost," "services being restored." Yet the operational impacts ran far deeper, carrying consequences not only in direct financial losses but also in reputational damage and longer-term strategic erosion.
Peeling back the layers to expose the underlying (in)security trends, a more consequential story emerges. These incidents were not merely uniform ransomware repeats as seen in years past. Instead, they reveal threat actors testing new approaches, defenders making unorthodox choices – some wise, some less so – and systemic weak points being exploited in ways that boards and CISOs cannot afford to ignore. Yet the familiar security theatre with its focus on reassurance and compliance messaging obscures these deeper patterns that should be driving strategic cybersecurity decisions.
If incident response is instrumental to the theatre, meaning reactive processes remodelled and baselined on established playbooks and past experiences, then these events are the cracks in the stage. They show us where the script is failing and where the performance is lacking authenticity.
The reflections that follow are drawn from a comparative analysis of five high-profile UK incidents in 2025: Marks & Spencer, the Co-operative Group, Harrods, Jaguar Land Rover, and Colt Technology Services. Each was different in industry, scale, and impact, but together they provide a useful cross-section of how contemporary threat actors operate, where defenders are pressured into new decisions, and what systemic weaknesses are repeatedly exposed. The aim here is not to retell headlines, re-analyse attack timelines, or speculate on attribution, but to surface what I can identify as the opaque trends that cut across cases; i.e. the real signals that matter for CISOs, boards, and risk leaders setting strategy beyond the current incident-response cycle.
Together, they map the security horizon: the terrain on which the next phase of cyber risk will play out.
1. Identity resets are now critical infrastructure
In three of the retail cases, the fulcrum was not a sophisticated exploit but a simple process: password resets and MFA method changes handled by help desks. Attackers socially engineered help-desk staff to reset credentials or remove MFA devices, and with that, the entire defensive stack was bypassed. This again highlights the obvious: humans remain a weak link. The intention is always benign; reduce employee frustration, avoid IT being a hindrance to operations, reduce support friction, but consequences are far reaching. The challenge lies as often in cybersecurity in Identity Management.
We are used to thinking of identity as a control layer. It is time to accept that identity reset workflows are the control plane. They carry the same systemic weight that firewalls once did. Yet in many enterprises, these flows are delegated to outsourcers, measured on call-handling time, and protected with little more than caller-ID heuristics. Playbooks that can be bypassed in the interest of “smoothing out customer experience”.
The strategic horizon demands a reclassification: identity resets must be treated as Tier-0 infrastructure, requiring dual approval, out-of-band verification, and continuous audit.
2. MSPs and software supply chains are today's perimeter
We no longer own our entire defensive perimeter (if you can find it – the traditional perimeter is vanishing1). In the Marks & Spencer case, third-party accounts were the suspected vector. Co-op, Harrods, and Jaguar Land Rover all shared a common denominator in a managed service provider. Colt's incident, by contrast, came via an unpatched SharePoint zero-day.
These two threads – managed service providers and software dependencies – are often discussed separately, but they represent the same phenomenon: we have externalised our perimeter. Whether through direct outsourcing or software supply chain, we have handed trust to entities whose controls and patch cycles we do not govern.
‘Cyber Essentials’ badges and supplier security questionnaires cannot carry that weight, even SOC reports won’t meet these standards. Contracts must demand technical parity: the same reset policies, the same telemetry, the same patch urgency that we would demand of ourselves is encoded in contracts, SLAs and OKRs. SBOMs and signed builds must become routine, not academic. The perimeter is not where your firewall sits; it is wherever your supplier or your code is weakest.
3. Extortion without detonation
Traditional ransomware economics relied on encrypting data and offering a decryption key, or double extortion (ransoming both for providing decryption key and not to sell stolen data). But in both Co-op and Colt, we saw the leverage created without ever triggering encryption. At Co-op, a membership database provided the bargaining chip. At Colt, attackers exfiltrated contracts and network diagrams and auctioned them to the highest bidder, indicating a shift in the underlying economic model.
These incidents demonstrate that detonation is optional. Exfiltrating even a small but leverage-dense dataset is enough to drive extortion. This shifts the impact horizon: we cannot only measure exposure in terms of encryption events. We must elevate targeted exfiltration to the same category of risk.
The strategic horizon here is clear: data leakage detection, segmentation of crown-jewel datasets, and rapid detection of unusual export patterns matter more than ever. The next extortion may require only a gigabyte, not a petabyte.
4. Criminal brand fluidity creates operational uncertainty
DragonForce, Scattered Spider, WarLock: these are names and banners blurred across these incidents and classical delineation is no longer possible. In some cases, the same tools and TTPs appeared under multiple brands. In others, attackers recycled old screenshots to claim responsibility. This brand fluidity is more than a technical footnote; it fundamentally undermines negotiation, insurance claims, and regulatory reporting.
When attribution is structurally uncertain, critical questions become unanswerable: Who actually holds the encryption key? Who owns the stolen data? Who can enforce deletion? The old phrase applies: "Hackers always lie, but that doesn't mean they're 100% wrong."
For CISOs, this demands new playbooks that don't assume coherent branding. Always analyse samples of stolen data to establish origin, never discard the possibly that the data leak involved insiders, prepare for re-extortion attempts from different groups claiming the same data, and consider planting canary documents with beaconed strings to detect resale. Pressuring insurers and regulators to acknowledge affiliate fluidity as a systemic uncertainty is equally critical. The days of neat attribution categories are ending and aside from possibly help clarifying broad threat-actor motivation the attribution itself becomes an academic exercise.
5. Kill-switches are part of continuity planning
Two of the UK incidents stand out not for what attackers did, but for what defenders chose. Harrods immediately restricted internet access across its estate, accepting some payment disruption in order to cut off exfiltration. Jaguar Land Rover initiated a global IT shutdown, halting production to contain suspected identity compromise. Expensive, yes, effective at reducing longer operational outage and customer disruption and more profound economic losses – resounding yes.
These are noteworthy decisions. Historically, boards have flinched at the idea of self-disruption, preferring to keep systems alive "until we know for sure." But Harrods and JLR show that mature defenders are willing to pull the plug first, if it prevents systemic compromise. JLR's production remains disrupted more than two weeks after the attack was made public (at the publishing of this article), with material production impacts expected to last until October. Marks & Spencer took 15 weeks to fully restore online services, with online orders completely halted for over six weeks. No surprise that disruption costs money but when a broader comprise is (inadvertently) allowed through analysis-paralysis, the more expensive the recovery becomes. Some painful decisions needs to be taken fast.
This demands a rethinking of continuity planning: cyber kill-switches are no longer taboo; they must be designed, rehearsed, and integrated into business continuity drills. Continuity with constrained services is preferable to continuity with compromised trust.
6. Sector-specific chokepoints are the true attack surface
A more profound insight here is that the attacks reveal that the true prize isn't always the data; it's the choke points. This profoundly requires defenders and security architects to reconsider the traditional cybersecurity operational models. The choice of what the threat actors chose to disrupt was not random. At Marks & Spencer, it was e-commerce and fulfilment. At Co-op, stock and replenishment. At Harrods, payments. At JLR, manufacturing ERP and MES. At Colt, customer portals and APIs.
Attackers are mapping and exploiting sector-specific chokepoints: the points where downtime translates most quickly into leverage. Too often, boards and CISOs still talk in terms of "crown jewels" or “critical business services” (customer data, financials, or overly broadly defined services) while under-investing in chokepoints that keep the business running. And perhaps what makes these types of targeted attacks so successful is that the business continuity plans are often woefully inadequate to address these choke-point disruptions, including the more simple supply-chain disruption.
The strategic horizon requires threat modelling around your chokepoints which must include considerations of internal business services and operations but also consider dependencies on suppliers or supply chains to enable those business services to operate. If you were an adversary, where would you apply pressure? Red teams must be tasked with those scenarios, not generic pen tests – moving from traditional penetration testing to offensive security.
7. Security theatre still blinds boards to structural risk
Public communications continue to emphasise what was not lost: “no card data,” “no passwords.” These statements are technically true, but they obscure what really happened: identity integrity was broken, suppliers represented attack paths, and small data sets provided leverage.
This theatre is not malicious. It is how organisations protect reputations, reassure customers, and meet regulatory minimums. But it also conditions boards to focus on the wrong things. The headlines and dashboards hide the shifts that matter most: the fragility of identity and authentication, the expansion of the de facto perimeter through SaaS and outsourced services, and the reality that extortion no longer requires encryption or ransomware.
The strategic horizon requires moving companies to rethink the traditional cybersecurity playbooks and link them more profoundly to the company’s structural resilience. For boards, that means demanding a different class of answers from CISOs:
Are cyber kill-switches designed and rehearsed as part of continuity? What are the business continuity considerations for deliberately enacted production halts?
Do suppliers operate under the same access parity and telemetry as in-house staff? How well do contracts empower IT or Cybersecurity to enforce operational compliance or service level agreements with vendors, or even red-lining engagements leading to vendor exits?
Is our SDLC aligned to SBOM-first assurance and days-level patch cycles for internet-facing assets? Traditional maintenance windows don’t grown on trees and although internally change windows can be forced, how aligned are the vendors to patch on that same accelerated patch timeline?
Do we understand risks in software lineage at ERP/PLM edges, not just in “crown jewels”? As experienced by JLR and Co-op; how aligned are the BCPs for disrupting Online Ordering/ERP/PLM/PDM safely, paired with graceful operational fallbacks?
The Security Horizon
With hundreds of incidents reported weekly, it is tempting to treat these incidents as another round in the endless cycle of breaches and press releases. But the hidden currents show something deeper and more profound that must not be brushed aside. There are strategic insights here that we must not overlook. The problem is not just in the malware or the ransom note. It lies in how we build, delegate, and measure our defences.
Identity resets must be elevated to critical infrastructure. Supplier and software controls must be treated as sovereign perimeters. Kill-switches must be normalised in continuity planning. Chokepoints must be mapped and defended as rigorously as financial systems.
For boardrooms, this shift can begin with a few sharp questions:
Identity: How do we verify that password, secrets (incl. API keys) and MFA resets – whether handled in-house or by a provider – are subject to the same level of scrutiny and audit as our financial approvals?
Suppliers: What visibility do we have into our MSPs and software vendors, and can we independently verify their security posture rather than relying on badges or contracts?
Continuity: If we had to pull a cyber kill-switch tomorrow, could we still operate in a constrained but trusted state, and when was the last time we rehearsed it?
These are not technical questions. They are questions of governance, resilience, and strategy. And the answers will determine whether organisations continue to perform the same play, or begin to re-engineer the stage on which it unfolds.
If we fail to make these shifts, the theatre will continue: polished statements on the surface, structural weakness underneath. The choice before us is whether to keep rehearsing the script or start engineering the stage itself.
’we had pressure of people inside the corporation needing to access systems outside, and people outside the corporation network needing to access systems that were being run by the corporation.’ Eventually, ‘the perimeter started to become a little bit grey because at some point you are not using systems that are nicely delineated’ (Paul Dorey, interview, 2022)” Spencer, M. and Pizio, D. (2023). The de-perimeterisation of information security: the jericho forum, zero trust, and narrativity. Social Studies of Science, 54(5), 655-677. https://doi.org/10.1177/03063127231221107