Threat Landscape & Insights

Organisations are connected to more than ever before meaning supply chains have expanded and so too has the level of risk associated with these diverse supply chains.

Cloud services, managed service providers, SaaS platforms, open source software and outsourced business functions now form part of an extended digital supply chain that sits well beyond the traditional network perimeter. According to recent industry analysis by DeepStrike, third party involvement is now present in approximately 30% of all data breaches, double the proportion seen just a few years ago.

More concerning still, research from IBM shows that breaches involving supply chain compromise are typically more expensive and take longer to contain than other incidents. While the global average cost of a data breach currently sits at roughly $4.44 million, breaches via supply chains are uniquely more damaging. A supply chain compromise is one of the most significant factors that amplifies the total cost of a breach. In the UK it can cost an organisation an additional average of £241,620. (source: DeepStrike)

According To IBM’s Cost of a Data Breach Report 2025 it takes an average of 267 days to identify and contain a breach. As attackers increasingly exploit trusted relationships, instead of relying solely on technical vulnerabilities, supply-chain risk is now one of the most critical cyber security challenges for organisations of any size.

Supply chain cyber risk refers to the exposure an organisation faces as a result of its reliance on third‑party suppliers, vendors, partners, and software components. Rather than attacking a target directly, threat actors compromise a supplier and leverage the trust relationship to gain access to downstream victims.

Supply chain attacks have become an increasingly common and damaging tactic among cyber criminals. These breaches highlight just how vulnerable organisations can be when the security of their partners, vendors, and software providers is compromised.

Understanding supply chain risk begins with achieving full visibility across all third-party services and suppliers your organisation relies upon. Identifying these critical relationships is essential, as gaps in awareness can expose internal systems and sensitive data to external threats.

Assessing each supplier’s security maturity and posture helps clarify potential vulnerabilities, while evaluating how easily attackers might exploit these connections provides insight into your overall risk profile.

Importantly, your industry or sector also shapes the likelihood and nature of supply chain attacks. Certain fields, such as finance or healthcare, face heightened targeting due to the value of their assets and data. Proactive supply chain risk assessment empowers organisations to anticipate, mitigate, and respond to threats more effectively.

In 2025, we saw some of the most recognisable brands in the UK and beyond hit the headlines for all the wrong reasons.

Cyber attacks cost the British economy billions each year and the impact is felt far beyond the organisations that fall victim. When a major business is disrupted, the ripple effects reach suppliers, partners, and entire sectors of the economy.

In a recent webinar, Sales Director Adam Myers was joined by CTO Ryan Bradbury to unpack four major breaches – Marks and Spencer, Co-op, Jaguar Land Rover and Oracle – and what they reveal about the evolving threat landscape.

For IT leaders, CISOs and boards, the lessons are clear; cyber security resilience in 2026 is not just about the right tools; it is about removing blind spots, strengthening human behaviour, and maintaining continuous visibility.

Across all four incidents, one shared truth stood out. Attackers are not only trying to force their way through hardened perimeters, they are also exploiting small gaps in identity, communication, and process.

Rather than relying on malware or brute force, threat actors impersonated employees, targeted pressured help desk teams, and leveraged stolen credentials. These tactics work because they exploit human behaviour and the real-world pressures teams face.

For leaders, this reinforces the importance of a cyber security culture where teams feel confident to pause, challenge and verify – and where processes are stress tested, not just documented.

Generative AI is changing the game. Is it helping defenders more than attackers? Dive into the risks, opportunities, and real-world impact of AI on cyber security.

Dave Mareels, Senior Director of Product Management at Sophos, joins the podcast to explore how generative AI is reshaping the cyber threat landscape.

The April 2025 M&S breach began with attackers impersonating employees to a third-party IT provider. Attackers acquired passwords through social engineering, bypassing normal checks, and enabling them to move laterally to access data before launching ransomware. 

This incident highlights a reality many leaders recognise. Even with the right technical controls are in place, people under pressure can unintentionally override them. It is why traditional one-off training is no longer enough.

Organisations now need continuous security awareness programmes, realistic phishing simulations, and tabletop scenario testing to prepare teams for high-pressure decisions. 

Turn incident response planning into a focused, hands‑on exercise.

Combine a posture assessment with phishing simulations, Live Hack demo, and a HackRisk.ai scan in an engaging tabletop session for your leadership team – followed by an executive‑ready report and action plan.

Not role‑play. Real data. Real insight.

Just weeks later, Co-op faced a near identical social engineering breach. Attackers reused the same techniques because, simply, they work. This reflects a broader trend where criminal groups increasingly share successful approaches, leaked credentials and intelligence, creating an economy built on repetition. 

For CISOs and leaders, this means resilience requires continuous reinforcement. Training cannot be quarterly. Help desk teams cannot rely solely on process. Identity verification cannot rest on assumptions that someone “sounds legitimate”. 

The point is not to blame teams, but to support them with clear processes, role-specific training, and communication channels that make it easy to raise suspicions early. 

The major August 2025 breach at Jaguar Land Rover was triggered by stolen credentials and allowed attackers to cause a full production shutdown. The real issue wasn’t one single vulnerability, but a chain of exposures that went unnoticed. 

Many organisations still lack full visibility of their internet facing assets or whether their credentials have already leaked. By the time a breach becomes visible, attackers may have been conducting reconnaissance for months. 

This is where continuous attack surface monitoring, dark web intelligence and automated reconnaissance become essential. Annual assessments may provide a snapshot into security, but modern attackers exploit the other 364 days too. 

October 2025 saw attackers exploit an unpatched zero-day vulnerability in Oracle’s eBusiness suite, affecting major organisations across the globe. This incident reinforces a tough truth; even highly mature organisations can be vulnerable when assets are not fully inventoried and internet facing systems are not continuously assessed.

For boards, this underlines the value of visibility as a strategic investment. You cannot protect what you cannot see.

Across all four incidents, one theme appeared again and again; these breaches didn’t stem from a single technical failure. They were the result of gaps between people, process and technology. 

Leaders should consider three strategic priorities: 

1. Strengthen human resilience
   Modern attacks target behaviour as much as systems. Regular tabletop exercises, redteam engagements and realistic training programmes help teams think clearly under pressure. 
2. Remove visibility blind spots
   Unknown assets, exposed credentials and unmonitored suppliers are now among the most common root causes of major incidents. Visibility is no longer a technical function, but aboard level priority. 
3. Treat cyber security as a continuous journey
   Pointintime assessments are valuable, but insufficient. Continuous scanning, dark web monitoring, and real-time risk tracking help organisations act before attackers do.  

Services like Sophos MDR provide expert-led 24/7 threat hunting, detection, and response capabilities to automatically block 99.98% of threats.   

Our HackRisk platform is supporting leaders in building proactive security strategies.

Its six interconnected security modules are designed to provide the visibility and continuous oversight the modern threat landscape demands.

Together, these insights create a security picture leaders can confidently act on. It is the difference between reacting to incidents and preventing them.

Only 13 percent of UK businesses assess cyber risks within their immediate suppliers and just 8 percent assess their wider supply chain. Yet, as the Oracle case study shows, devastating breaches now originate through partners long considered low risk.

HackRisk’s Supply Chain Security tools allow organisations to invite suppliers, review their cyber posture, assess accreditations, issue onboarding questionnaires and even run financial credit checks, all in one place. For boards and CISOs, this brings clarity to an area traditionally full of fragmented data and manual chasing.

As Ryan concluded:

Attackers are patient. They observe. They exploit moments where process meets pressure. 

Your defences must do the same. Identify blind spots, strengthen your people, and invest in continuous visibility. These are the steps that prevent your organisation from becoming the next headline.

Data breaches are increasingly common, and news reports frequently highlight these incidents. Millions of email addresses and passwords have been stolen, sold, and shared across the Dark Web. But what exactly is the Dark Web, and what threat does it pose to organisations?

In this article we journey into the depths of this digital Wild West. Much like the lawless frontiers of the past, the Dark Web is a digital landscape where anonymity and illicit activities thrive beyond the reach of many authorities. We explore what the Dark Web is, its role in cyber crime, and recent reports on data leaks. In addition, we cover measures that organisations can take to prevent their most sensitive assets from ending up for sale on the Dark Web.

The Dark Web is a hidden part of the internet that operates outside the bounds of conventional search engines and requires specialised software, configurations, or authorisation for access.

While the Dark Web is home to many legitimate companies, it also contains message boards, online marketplaces for drugs, as well as stolen financial and private data. Transactions within this economy are often made with cryptocurrency and are completely anonymous.

The Dark Web is infamous for its role as a hub for illicit activities, providing anonymity to users engaged in cyber crime, data breaches, and other nefarious deeds. It facilitates a vast market for stolen data, compromised credentials, and hacked accounts. With corporate credit cards, criminals can cause financial damage and make unauthorised purchases. The risk is more than just financial damage from stolen credit cards, with employee details criminals can launch more sophisticated and targeted attacks. Phishing attacks are one of the most common attack methods employed by cyber criminals, and could be the entry point for further compromise to your organisation.

The Dark Web is not just stolen credentials, it also harbours platforms where individuals can hire hackers for various malicious purposes, from launching cyber attacks to conducting espionage. If you can imagine it, it’s probably out there on the Dark Web.

Recent reports from sources like CSO Online and the University of Surrey underscore the growing prevalence of cyber criminal activities on the Dark Web, posing significant threats to enterprises and individuals alike.

Recently, a wave of cyber-attacks has struck some of the UK’s most well-known retailers: Marks & Spencer, the Co-op, and Harrods. These incidents have disrupted services, forced systems offline, and cost millions in lost revenue. They are not just unfortunate timing. They are a wake-up call for not just the retail industry, but for every organisation across the UK.

The message is clear, if the “big guys” can fall victim, anyone can.

Easter Weekend (29–31 March 2025)

Marks & Spencer was the first to experience a major disruption. Over the bank holiday weekend, the retailer suffered a ransomware attack reportedly carried out by the group DragonForce. The incident forced M&S to take its website and apps offline, halting Click & Collect services and disrupting contactless payments and loyalty programmes.

With online sales accounting for approximately £3.8 million per day in its clothing and home division, the financial impact was immediate and substantial. M&S later confirmed that customer data had been stolen, although it clarified that the compromised information did not include passwords or payment details. [Source: BBC]

Wednesday 7 May 2025

The Co-op revealed that it had taken parts of its IT infrastructure offline in response to suspicious activity, as a precaution against a potential cyber attack. Staff were instructed to keep cameras on during remote meetings and to verify all attendees, a signal that the company feared a deeper network compromise. The full nature and scope of the attack have not been publicly confirmed. [Source: BBC News]

Thursday 8 May 2025

Harrods became the third major retailer to confirm an incident. The company reported attempted unauthorised access to its systems. In response, its IT team restricted internet access at its stores as a protective measure. While its flagship Knightsbridge location and online store remained open and functional, the company has not disclosed further technical details or the extent of the attempted breach. [Source: BBC]

Ongoing Disruption

Cyber attacks are often widely disruptive. Customers at M&S have been unable to shop online for over a month, and reports indicate that disruption could last until July. The disruption of this cyber attack is estimated to cost M&S over £300 million. [Source: BBC]

Retail businesses, especially large chains, have become increasingly attractive to cyber criminals.

• They manage large volumes of customer data, including payment information, delivery details and login credentials.
• Their operations are deeply digital, from logistics and inventory management to payment systems and loyalty apps.
• Any downtime causes immediate and visible disruption, creating pressure to resolve incidents quickly, sometimes under ransom demands.

At the recent Manchester Digital E-Commerce Conference, we conducted a live hack on a demo online store to show how quickly a compromise can occur.

Within minutes, our team exposed:

• A misconfigured ecommerce website that was vulnerable to exploitation.
• How an SQL Injection could steal usernames and encrypted passwords.
• How easily we decrypted the passwords due to weak passwords and poor encryption algorithm.
• Weak login process with no 2FA which enabled us to access all details on the account – including address and payment information.

Most successful attacks do not rely on sophisticated exploits and threat actors will almost always for the path of least resistance to establish a foothold. They rely on simple oversights, poor digital hygiene or human error.

Even today, the number one, most prevalent vulnerability facing applications globally are broken access controls according to the Open Worldwide Application Security Project (OWASP) [source: OWASP Top Ten]

While the recent attacks are concerning, they highlight areas where many organisations can make meaningful improvements. Addressing cyber risk doesn’t require a drastic overhaul or reacting with panic.

Instead, it begins with a focused review of your current cyber security posture. You should review the technologies you use, your internal processes, and your existing policies. The priority should be to identify gaps, understand where your most critical assets lie, and take measured, practical steps to reduce risk.

Some of the key steps you should consider are:

• Use Multi-Factor Authentication (MFA) across all admin and critical access points.
• Patch and update all systems regularly, especially third-party plugins and platforms. Utilising patch management software can make this process faster and easier.
• Use 24/7 log monitoring and alerting tools such as a Security Information and Events Management (SIEM) and Early Detection and Response (EDR) solutions across your applications and endpoints that can detect and record anomalous activity such as repeated attempted login failures in real time.
• Conduct regular security audits, penetration tests, and code reviews.
• Segment networks and use monitoring tools to detect abnormal behaviour early.
• Train staff on phishing, social engineering, and access protocols.
• Have an incident response plan in place and test it regularly.

The recent incidents at M&S, Co-op, and Harrods are not anomalies. They are signs of a threat landscape that is growing more aggressive and opportunistic. For any organisation operating online or relying on digital systems, the risk is very real.

At CyberLab, we help businesses strengthen their defences, uncover vulnerabilities before attackers do, and stay ahead of the threat curve.

As the festive season approaches, the excitement surrounding Black Friday, Cyber Monday, and Christmas shopping often leads to a sharp increase in cyber threats. During this time, online consumer behaviour changes drastically- shoppers are eager for deals, working against the clock, and spending more time online.

This frenzy presents an ideal opportunity for cyber criminals, who take advantage of increased online traffic, distracted users, and businesses operating out-of-hours to launch attacks. For organisations, this shift introduces unique risks and demands heightened security measures.

This month, we are focusing on the elevated cyber risks associated with the festive season. We will explore how cyber criminals exploit holiday shopping habits and changes in consumer behaviour, provide examples of high-profile incidents, and offer best practices that organisations can implement to safeguard their operations during this critical period.

During peak shopping times like Black Friday and Christmas, cyber crime rises as consumers spend billions online. A recent report by ThriveDX found that ransomware attacks increase by 30% during the holidays compared to regular months.

Cyber criminals know that consumers are often distracted while hunting for deals, leaving them vulnerable to phishing attacks and other scams. According to Forbes, in 2022 37% of data breaches in retail involved stolen payment card data, and ransomware accounted for 24% of breaches, with retailers often pressured to pay to avoid disruptions during their busiest sales periods.

A notable example of cyber criminals exploiting the festive period to steal payment card data is the Target breach, which affected approximately 40 million credit and debit card accounts during the holiday shopping period. The attack, facilitated by malware installed through an HVAC subcontractor, led to widespread customer distrust and hefty fines. This incident is a stark reminder that even well-established businesses with strong security frameworks can fall victim to cyber crime during the holidays.

Cyber security has become a critical issue for higher education (HE) institutions due to their unique structures. Academic institutions have open environments where many users access shared networks from various devices and locations.

This makes them prime targets for cyberattacks. Common threats include phishing attacks, ransomware, Distributed Denial of Service (DDoS) attacks, and data breaches. Plus, the rise of remote learning and cloud adoption has increased the potential attack surface for many educational institutions, making it harder to manage cyber security.

Higher education institutions are attractive targets for threat actors due to their decentralised structures, large user bases, and the diversity of data they store.

Universities, for example, often have open networks to support collaboration and research, creating vulnerabilities and exploitable gaps in infrastructure. They typically hold valuable intellectual property, cutting-edge research, financial data, and personal student/staff information. Additionally, a blend of staff, students, and external collaborators using a range of different devices further complicates security oversight and can make endpoint security management a living nightmare.

Considering all of these factors, Higher Education Institutions appeal to a wide spectrum of motives for threat actors to target them; nation-states may target them for espionage and to obtain valuable research data, while ransomware groups view them as lucrative opportunities due to their reliance on constant system availability for academic and administrative purposes.

In the past year alone, 97% of UK higher education institutions reported cyber incidents, spanning across a wide variety of attack vectors and methods, according to a recent survey by the NCSC.

The UK’s public sector – spanning the NHS, central and local government, emergency services, and education – is increasingly targeted by cyber criminals.

With digital transformation accelerating post-pandemic, the stakes have never been higher. According to recent government reports, ransomware attacks have cost public bodies over £1 million per incident, and more than 25% of breaches go undetected for months.

1. Skills Shortages

Public sector organisations face a critical shortage of cyber expertise. One in three cyber roles remains vacant or filled by costly contractors, and many departments lack senior digital leadership.

2. Financial Constraints

Budget pressures make it difficult to invest in proactive security measures. Yet prevention remains far more cost-effective than remediation.

Sophos Managed Detection and Response (MDR) offers 24/7 threat hunting and incident response, bridging the skills gap and providing scalable protection. It combines AI-driven detection with human-led analysis to:

• Proactively hunt and validate threats
• Assess severity and business impact
• Contain and neutralise attacks remotely
• Provide root cause analysis and remediation guidance

Deployment options include:

• Notify: Sophos alerts your team to threats
• Collaborate: Joint response with your internal team
• Authorise: Sophos handles containment and informs you of actions taken

This flexible model ensures public sector organisations retain control while benefiting from expert support.

Healthcare

An NHS Ambulance Trust adopted Sophos MDR to ensure uninterrupted access to patient data and services. Building an in-house 24/7 SOC was cost-prohibitive, making MDR a practical alternative.

Education

A leading independent school implemented Sophos MDR to protect student data and avoid ransomware-related downtime. Their proactive stance ensured continuity in teaching and learning.

Housing Associations

CyberLab has supported housing providers in deploying MDR to safeguard resident data and maintain operational integrity. These organisations now benefit from continuous monitoring and expert threat response.

The UK Government Cyber Security Strategy calls for a shift from reactive to proactive security across the public sector. Sophos MDR enables this transition by delivering round-the-clock protection, addressing talent shortages, and supporting digital resilience.

CyberLab is proud to support public sector clients across healthcare, education, housing, and government. As Sophos Public Sector Partner of the Year for ten consecutive years, and with a team of CREST and CHECK-certified testers, we’re here to help you strengthen your cyber defences.

The foundational pillars of any organisation’s performance and resilience are people, processes, and technology. These elements are emphasised in the ISO 27001 framework, which underscores the importance of a holistic approach to information security management.

Despite robust technological defences and well-defined processes, it is often the human element that remains the most vulnerable. Social engineering usually involves manipulating or deceiving individuals into divulging credentials or granting some form of unauthorised access to malicious actors.

This article explores the pervasive threat of social engineering, exploring its techniques, real-world impacts, and strategies to fortify your defences against these sophisticated attacks.

Social engineering is a manipulation technique that exploits human psychology to gain access to confidential information or systems. Unlike technical hacking, social engineering relies on human interaction and often involves tricking people into breaking normal security procedures with the goal of obtaining sensitive information or unauthorised access.

Social engineering tactics are diverse and continually evolving. Some of the most common techniques include:

• Phishing: Deceptive emails or messages designed to trick recipients into providing sensitive information.
• Baiting: Offering something enticing to lure victims into a trap.
• Pretexting: Creating a fabricated scenario to steal victims’ personal information.
• Tailgating: Gaining physical access to restricted areas by following someone with legitimate access.
• Vishing: Using phone calls to trick victims into divulging information.

Social engineering is alarmingly common in cyber-attacks. According to findings from American-based Software and Cyber Security company Splunk, in 2023, 98% of all reported cyber-attacks involved some form of social-engineering, making it one of, if not the most prevalent methods used by cybercriminals and other threat actors. An average organisation can face over 700 social engineering attacks annually. [source: Splunk]

Phishing remains the most common social engineering technique, with millions of phishing emails sent daily around the globe. In the UK the 2024 Cyber Breaches Survey indicated that 84% of businesses and 83% charities have been targeted by phishing attacks this year already, with some cyber criminals impersonating other organisations in emails or online. [source: UK Government]