When the Screens Go Dark: What UK Business Leaders Need to Know About Cyber Security in 2025

‍The attack that took down M&S's online clothing sales for six weeks didn't start with sophisticated hacking. It started with a phone call.

Someone who spoke perfect English rang the IT helpdesk at Tata Consultancy Services, M&S's third-party support provider. They convinced support staff they were internal IT. They obtained credentials. Within hours, DragonForce ransomware was encrypting 600+ systems across one of Britain's most recognised retailers.

The estimated cost? £300 million.

If you're reading this as a business owner or security professional in London, this isn't a cautionary tale about someone else's problem. It's a preview of what's coming for organisations that haven't yet recognised cyber security as a business continuity issue, not just an IT problem.

The Numbers That Should Keep You Up at Night

The UK experienced 204 nationally significant cyber incidents in the year to August 2025. That's four major attacks every single week affecting organisations critical to the UK economy. For businesses specifically:

• 43% experienced a cyber breach in the past 12 months
• 67% of small businesses that suffered an attack reported financial difficulties within six months
• Ransomware incidents increased 70% compared to the previous year
• The average cost reached £10,830 for medium-sized businesses

But here's the statistic that matters most: when your screens go dark and your payment systems freeze, you have approximately 72 hours before customers start looking elsewhere.

Why Your Security Budget Might Not Save You

The businesses that survived 2025's major attacks weren't necessarily the ones with the biggest security budgets. They were the ones that made three critical decisions:

1. They Stopped Trusting Their Network Perimeter

Every major UK breach this year (M&S, Co-op, Jaguar Land Rover, Heathrow) started with a third-party supplier, contractor, or service provider. Yet just 14% of UK businesses assess the cyber risks posed by their immediate suppliers.

Your organisation might be secure. But if your IT helpdesk, software vendor, or logistics partner isn't, you're simply an indirect target.

The question isn't "Are we secure?" It's "Are our suppliers secure?"

2. They Prepared for Recovery, Not Just Prevention

When JLR's automated manufacturing operations were suspended, the challenge wasn't removing the ransomware. It was safely restarting complex, interconnected systems without triggering further damage.

The average time to identify a breach in the UK is 207 days. By the time most organisations discover they've been compromised, attackers have established persistence, mapped the network, and potentially exfiltrated valuable data.

Resilience isn't about preventing every attack. It's about detecting breaches quickly, limiting damage, and recovering operations within days instead of months.

3. They Treated Cyber Security as a Board-Level Business Risk

Only 27% of UK businesses have a board member with responsibility for cyber security. This is a figure that has declined steadily over recent years despite 72% identifying it as a high priority.

This disconnect between risk awareness and accountability is deadly.

The UK government wrote to CEOs of FTSE 350 companies in October 2025 with a stark warning: cyber attacks are "not a question of if but when" and "businesses cannot be protected by government alone."

What Works: Lessons from Organisations That Survived

The organisations that recovered fastest from 2025 attacks shared specific characteristics:

They maintained offline incident response plans. During the M&S and Co-op attacks, organisations discovered their response procedures were stored digitally on the very systems that had been encrypted. The NCSC's message to business leaders is stark: "Be ready to go back to pen and paper."

They implemented real supply chain risk assessments. Not tick-box compliance exercises, but rigorous evaluations asking: "If this vendor suffers a ransomware attack tomorrow, what systems of ours stop working?"

They invested in security awareness, not just training. 84% of UK businesses that reported breaches identified phishing as the attack vector. The difference between "security training" and "security awareness" is the difference between a mandatory annual video and building a culture where security is everyone's responsibility.

They prepared for detection, not just prevention. 24/7 security monitoring, endpoint detection and response (EDR) solutions, and regular threat hunting exercises identified suspicious activity before it became catastrophic.

The Apple Dimension: What's Changed for Mac-First Organisations

For London's creative agencies, financial services firms, and technology companies running Apple infrastructure, 2025 brought both significant security enhancements and new compliance challenges.

The Good News:

Apple patched seven actively exploited zero-day vulnerabilities and doubled its top security bounty to £2 million. More significantly, WWDC 2025 introduced MDM migration without device wipes. This eliminates the single biggest barrier to consolidating and modernising Apple device management at scale.

Organisations can now migrate devices between MDM platforms whilst preserving apps and data, making it practical to move from legacy on-premises tools to modern cloud-based management.

The Challenge:

Apple withdrew its Advanced Data Protection feature from the UK following a government Technical Capability Notice. For organisations that relied on ADP for data protection frameworks—particularly those handling sensitive client information in creative, financial, or legal sectors—this creates a compliance gap requiring alternative encryption strategies.

Additionally, Apple is deprecating legacy software update management methods in iOS, iPadOS, and macOS, with removal planned for 2027 OS versions. Organisations must transition to declarative device management. This is a shift from reactive, server-driven management to resilient, client-driven management.

The 90-Day Action Plan

The next 90 days are critical. The breaches at M&S, Co-op, and JLR weren't sophisticated nation-state operations. They were successful because organisations failed to implement basic security controls and failed to extend those controls to their suppliers.

For Business Owners and Decision Makers

This Week:

• Designate a board member with responsibility for cyber risk oversight
• Review your cyber insurance policy—specifically asking about supply chain attack coverage
• Verify you have a printed, offline incident response plan accessible without network access

This Month:

• Commission an external security assessment (penetration test or security audit)
• Review vendor contracts to include security requirements and breach notification
• Establish relationship with a cyber incident response firm (retain them before you need them)

This Quarter:

• Implement a Third-Party Risk Management programme with vendor security scorecards
• Establish cyber security budget as a percentage of IT spend (industry benchmark: 10–15%)
• Develop and test business continuity plans for scenarios where primary systems are unavailable for one week or one month

For Security Professionals and IT Leaders

This Week:

• Audit all third-party access to your environment (who has credentials, what systems can they reach?)
• Verify that offline backups are actually offline and test restoration of one critical system
• Enable and enforce MFA on all admin accounts (including legacy systems)

This Month:

• Implement conditional access policies requiring device compliance for sensitive system access
• Conduct a simulated phishing campaign and analyse results by department
• Schedule and complete a tabletop incident response exercise with IT, legal, and communications teams

This Quarter:

• Complete security assessments of all critical suppliers with formal remediation plans
• Implement SIEM or log aggregation with detection rules for relevant threat patterns
• Establish 24/7 monitoring (in-house SOC or managed detection and response partnership)

The Question That Matters

When the screens go dark (and statistics suggest it's when, not if) will your organisation be among those that recover within days, or among those that face financial difficulty, regulatory enforcement, and potential closure?

The organisations that will still be operating twelve months from now are making security decisions this week. The others are hoping it won't happen to them, despite all evidence that it will.

The 90-day window starts now.

How Stabilise Can Help

At Stabilise, we specialise in securing Apple-first environments for London businesses. We understand that cyber security isn't about implementing every possible control. It's about implementing the right controls for your specific risk profile and business operations.

Our approach combines:

• Apple ecosystem expertise with enterprise security frameworks
• Strategic consulting to align security investments with business priorities
• Proactive monitoring and threat detection for Mac, iPhone, and iPad fleets
• Supply chain security assessments tailored to creative and professional services firms
• Incident response planning with regular testing and validation

Whether you're running a creative agency with 25 Macs or a financial services firm with 500+ Apple devices, we'll help you build genuine cyber resilience (not just compliance theatre).

Ready to take cyber security seriously?
Get in touch

Looking for more insights on securing Apple environments? Read our blog on how NIS2 is reshaping UK Apple Infrastructure

Related Services

Cybersecurity