30 September 2025
Dear Partner,
I write to you from one business owner to another.
What follows is not a sales-pitch and neither is it intended to scare. My intention is to educate and inform, and to share my views and professional opinion on a matter of increasing concern to me personally, to others in our industry and to many business owners I speak to daily – the increasing cyber-threats to businesses like mine and yours that are putting our operations, our data and our reputations at significant risk. I do however need to be sure my concerns, and the advice that follows, have been received and that is why this letter has intentionally landed on your desk rather than in your inbox.
In what has been a shift in public reporting, you will likely have seen high-profile cyber-attacks dominating news broadcasts over recent months. In order to give some context I will summarise some of those attacks below:
In April, the UK Ministry of Defence (MoD) experienced a data breach exposing sensitive data relating to military personnel and contractors. The breach reportedly involved unauthorised access to a third-party payroll system and therefore caused by supply-chain vulnerabilities.
In May, Transport for London (TfL) experienced a significant cyber incident that disrupted online services including Oyster card top-ups and journey planning tools.
In June, a ransomware attack on Synnovis, a pathology services provider for the NHS, caused major disruption to blood tests and diagnostics across London hospitals. A ransomware group known as Qilin claimed responsibility and demanded a ransom for the return of the data before leaking sensitive patient data on the dark web.
Attacks on our Critical National Infrastructure (CNI) such as the MoD, TfL and NHS are not accidents or coincidences. Global weekly attacks on Government systems & infrastructure are up by 43% since 2023. Attacks on healthcare and medical industries increased by +47%, telecommunications +40% and energy & utilities +42%[i]. And where are these attacks originating from? Unsurprisingly in the majority of cases, Russia, China and North Korea.
Outside CNI, there have been several high-profile attacks on retail giants over recent months:
Marks & Spencer (M&S): A ransomware attack linked to the cyber-criminal groups Scattered Spider and DragonForce began around Easter and caused over 6 weeks of disruption. Online orders, mobile app and click-and-collect services were suspended causing an estimated £300million hit to operating profit (wiping out one third of annual profits) and customer data was accessed. The attack was successful due to them exploiting a third-party service provider and using social engineering to convince a single employee to grant them access.
Co-op: A malicious, likely ransomware, attack on Co-op in April partially shut down IT systems causing empty shelves and payment issues. Co-op reported over £206million revenue loss In H1 2025 and an £80million hit to operating profit. Personal data belonging to 6.5million customers was stolen and again all caused by a social engineering attack where hackers impersonated staff to gain access.
Harrods: Two attacks this year alone; the first in May was again linked to Scattered Spider and more recently this month a third-party supplier breach exposed data of 430,000 customers.
And most recently, a cyber-attack that targeted internal IT systems at Jaguar Land Rover caused them to halt production at their three UK facilities for a month, the cost of which is yet to be fully measured but suspected to involve ransomware or a supply-chain compromise.
There are key themes across all these attacks – the heavy reliance on third-party vendors and suppliers, the use of social engineering and supply-chain compromises, catastrophic financial losses and significant harm to customer trust and brand reputation.
The most worrying attack, and perhaps a new low in cybercrime, occurred just last week. On 25th September hackers infiltrated a London-based nursery chain with 18 sites. After failed ransom negotiations, demanding around 1.5% of the company’s annual revenue, a criminal group calling itself Radiant posted sample profiles of children and staff on the dark web. Hugely sensitive data on over 8000 children and staff members has been stolen and currently being threatened for release. This data includes photos, full names, dates of birth, addresses, medical records and medications of nursery-age children along with personal details of parents, carers and staff, safeguarding reports and billing data. This is no longer basic password theft – the personally identifiable information (PII) of these children cannot be ‘reset’ like passwords and presents a harrowing long-term privacy threat for these families.
When it comes to supply-chain attacks, artificial intelligence (AI) plays a big part. Whilst it is an essential tool in our fight against cyber-crime, it is unfortunately also a major contributor. AI ‘deep fakes’ can craft the most believable of personas, e-mails and even video calls to convince unsuspecting individuals to grant access to systems, infrastructure and data.
And I’ll reiterate, this letter isn’t about you spending money. In fact in pretty much all of the cases I’ve referenced above, costly defence systems, firewalls and technology-based security systems were already operating. But there was a person, an unsuspecting and trusting employee on the inside, holding the door wide open for them to enter.
This is your biggest risk.
As business owners and leaders it is imperative that we fully understand, measure and appreciate the risks we are exposed to. It is absolutely essential to the continued operations of our businesses that we educate our staff, our sub-contractors and our supply chains as to the impact their actions could have. Very recently KNP Logistics Group, a 158-year old business employing 700 people, collapsed because criminal gangs guessed one persons password and held them to ransom for their own data to the tune of £5million. Data they could not survive without and money they simply didn’t have. They no longer exist.
‘Downtime’ is less of an issue to most now thanks to ‘modern workplace’ technology – we have our servers and infrastructure in the cloud and can pretty much work from any device, in any location at any time. But for many, our data is our business and our business is our data.
Please ask yourself the following questions and discuss them openly at your next Board / leadership meeting:
- How valuable is our data? Could we survive without it?
- Do we know what data and systems are most critical to our operations?
- Do we fully know what data our employees have access to?
- How well and what do we know of our supply-chain? Do we carry out any diligence on their own cyber-resilience?
- Are we compliant with relevant regulations?
- Do we hold any cyber-security framework certifications such as Cyber Essentials, CAF, ISO27001 and/or know our level of GDPR compliance (from a personal data security and breach reporting perspective)
- Do we have adequate cyber insurance, and does it cover ransomware?
- Are our people trained to recognise phishing and social engineering attacks?
- What would be the financial and reputational impact of a major breach?
- What would it cost us if we lost some or all of our data?
- How long could we operate if critical systems were offline?
- Can we define our Minimal Viable Company (MVC) before a cyber-attack hits.
None of the organisations I’ve mentioned above expected a cyber-attack to hit them the next day. Neither did they expect the damages bill that followed or in the case of KNP Logistics, to be out of business altogether.
I do not want you to be out of business. I do not want to be having this conversation after you’ve been the victim of cyber-crime or perhaps when it is too late. I certainly do not want you asking why I didn’t bring this conversation to the forefront sooner.
And we are by no means exempt from the risks I am speaking to you about and take our responsibilities as your trusted technology partner most seriously. Over recent months we have doubled down on our own processes and security measures. Governance, risk and compliance are a top priority for us and we intend to continue leading by example through technical innovation and best-practice, ensuring we remain here to support you into tomorrow and beyond.
If you have questions after speaking with your Board and/or senior team, or would like me to attend those conversations to provide further insight into your specific risks and answer any questions I will readily make myself available to do so.
Whilst there are products, services and solutions that we can of course sell you to help in mitigating these risks (and you may already have some or many of them) and that do provide much-needed protection, I urge you to start with measuring what matters and fully understanding 1) the risks your business is exposed to, 2) which of those you can afford to accept and 3) start to mitigate those you cannot. I will guarantee to you that your first task after doing this, and one of the most effective in this tiresome battle, will be informing and educating your people through continued security awareness training.
And I want to help with that. Over the coming months we will run a series of awareness events for our Partners – webinars, podcasts, briefing sessions, virtual training and awareness campaigns – all at no cost to you. I highly recommend that you look out for these and make the time for as many people within your organisation to attend. If this proves logistically challenging, again reach out to me and we can discuss how best to support you.
There are also several resources available to you online. We have published a ‘Cyber-Resilience 101’ webinar that you can watch on-demand via our website at https://events.teammetalogic.com/webinar-Cyber-Resilience101 and the National Cyber Security Centre (NCSC) have numerous resources available free of charge on their web site at https://www.ncsc.gov.uk. From here you will also be able to create a personalised Cyber Action Plan (https://www.ncsc.gov.uk/cyberaware/actionplan) and gain assistance in developing and using a personalised cyber incident response plan (https://www.ncsc.gov.uk/collection/incident-management/cyber-incident-response-processes) – again we can help with these if needed.
I appreciate the content of this letter might be a lot to take in, and it is of course worrying in nature, but I am hoping you will sleep far better at night, as will I, reassured that you know what the risks are and what you are doing about them rather than just waiting for the worst to happen. If you would like to discuss any of the content I’ve shared here or have a conversation about your specific business, please reach out to me either by email or by telephone on 0345 521 0618.
Thank you for your time in reading this and I hope to speak with you soon.
Kind regards,
[i] https://www.checkpoint.com/security-report/?flz-category=items&flz-item=report–cyber-security-report-2025