In today’s digital‑first economy, cyber security is no longer a purely technical issue. It’s a fundamental business resilience concern. The three massive cyberattacks on three of the UK’s most recognised brands (Marks & Spencer, the Co-Op and Jaguar Land Rover) have sent a clear message to organisations across all sectors: when systems fail, businesses don’t just lose data, they lose operational capability, customer trust, and in many cases, their financial footing.

In Oct 2025, The UK Government wrote to chief executives across the UK to strongly recommend that they should keep physical copies of their plans at the ready as a precaution. The warning comes as the National Cyber Security Centre (NCSC) reported an increase in nationally significant attacks this year. Firms are being urged to look beyond cyber-security controls towards a strategy known as ‘resilience engineering’ which focuses on building systems that can anticipate, absorb, recover and adapt in the event of an attack.

In light of these incidents, this article explores how cyber security must be reframed as a pillar of organisational resilience, not just a function of IT. We’ll share lessons from these events, outline the financial stakes involved, and map out practical steps to strengthen your defences and your ability to bounce back.

Resilience Starts with Understanding the Risk

Both recent breaches at M&S and JLR were a result of vulnerabilities long known, yet often under‑mitigated: compromised third‑party access, social engineering, and insufficient containment once attackers gain entry. Both cases show that attackers are increasingly targeting the “weakest link”, vendors, contractors, or employees via phishing or social engineering, rather than attempting to break through hardened perimeter defences. In the other, a breach effectively brought production lines to a halt, affecting thousands across the supply chain.

These incidents are reminders that today’s threats are not just about stealing data, they are about disrupting operations. The cost is no longer limited to fines or reputational damage; it now includes significant business interruption, lost revenue, and long‑term trust erosion. The Co-op for example has estimated that the cyber attack cost £206m when hackers penetrated its network, prompting a shortage of goods on shelves and loss of customer data.

Resilient organisations don’t just try to stop cyberattacks. They assume attacks will happen and prepare accordingly.

Financial Impacts: What the UK Incidents Reveal

Understanding the scale of loss that real breaches can occasion helps put resilience into sharp focus.

Marks & Spencer (M&S)

• M&S estimates the cyberattack will reduce its operating profit by around £300 million in its financial year 2025/26 if nothing is done to mitigate the damage. This figure represents about 30‑35% of its expected operating profit, before accounting for mitigation efforts via insurance, cost control, and trading actions.
• In addition to profit impact, the attack caused supply chain disruption, forced adoption of manual processes (increasing waste and logistics cost), and paused key online sales channels (fashion, home, beauty).

Jaguar Land Rover (JLR)

• JLR’s attack led to the shutdown of production at multiple UK factories. The suspension of operations lasted several weeks.  It is estimated that JLR is incurring losses of at least £50 million per week during the shutdown.
• To aid its supply chain and preserve supplier cash‑flows, the UK government has provided a £1.5 billion government‑backed loan guarantee

 The New Face of Cyber Risk: Disruption, Not Just Data

What’s emerging is a clear shift: cyber risk is no longer confined to IT systems and data privacy. It’s a direct threat to business continuity. From payments and supply chain logistics to production capability and customer service, everything is connected. A breach in one system can quickly cascade across others, halting operations entirely.

These financial figures underscore the magnitude of what’s at stake. A single event can cost hundreds of millions; for large manufacturing operations, costs can run into the billions very quickly.

This makes cyber security a core business resilience issue. The ability to maintain operations, contain threats, and recover quickly is now a key performance indicator for any organisation.

Why Traditional Cyber Security Isn’t Enough

Many organisations still approach cyber security with a compliance mindset — focusing on passwords, patching, and perimeter defences. These remain important, but the threat landscape has moved on.

Attackers now target weak links in the supply chain, use social engineering to gain access, and exploit legitimate user credentials. Once inside, they move laterally, disrupt core systems, and in some cases, hold critical infrastructure to ransom.

The financial losses at M&S and JLR show that organisations cannot afford to assume downtime is tolerable. The cost in profit, supplier stability, market value, and reputational damage mounts fast.

Key Principles of Cyber Resilience

Cyber resilience goes beyond prevention. It integrates preparation, response, and recovery. It’s not about avoiding every incident; it’s about being able to withstand and recover from them with minimal disruption.

Here are the principles every organisation should adopt:

1. Prepare for Breach as a Certainty

• Build breach‑scenarios into business continuity and disaster recovery planning: what if a key vendor is compromised? What if your core production or distribution systems are offline for a week?
• Simulate these scenarios regularly through tabletop exercises and stress testing.
• Ensure cyber risk is part of your enterprise risk management and resilience strategy and not just a technical silo.

2. Protect the Core but Assume Failure

• Continue investment in strong identity, access controls, segmentation, and zero trust models.
• Anticipate that prevention will not always suffice; plan how to contain a breach rapidly once it occurs.
• Limit exposure by creating zones of separation (e.g. between core operations and public‐facing services).

3. Ensure Rapid Detection, Containment, and Recovery

• Deploy advanced detection tools, behavioural analytics, intrusion detection, endpoint detection & response.
• Maintain 24/7 monitoring or partnership with external experts to ensure fast response.
• Design systems so that essential backup, failover, and recovery mechanisms are always available and tested.

4. Strengthen Your Supply Chain Defences

• Audit and classify third parties by risk; require strong resilience standards as part of contracts.
• Include supply chain contingency planning: what happens to your operations if a key supplier is incapacitated for weeks?
• Support suppliers’ resilience: smaller partners may be the weakest link yet critical for your ability to operate.

5. Focus on Recovery and Continuity

• Maintain offsite, immutable backups; ensure backup systems are isolated from main networks.
• Build redundancy in critical services, especially those that, if down, bring operations to a halt.
• Prepare communication strategies and stakeholder management plans in advance.

6. Create a Culture of Resilience

• Train staff not just for awareness, but for resilience: understanding the impact of downtime, knowing how to respond.
• Encourage rapid, transparent reporting of incidents or anomalies.
• Ensure collaboration across IT, Security, Operations, Finance, Legal, Communications, and the Board.

Board‑Level Accountability: Driving Resilience from the Top

Cyber resilience must be championed by leadership. It’s a board‑level responsibility because its impact spans financial, reputational, and operational domains. Leaders should be asking:

• Do we understand how much financial damage a significant cyber incident could inflict on us in one, two, or more weeks?
• Are we capable of operating essential services without critical systems for extended periods?
• Have we rehearsed a cyber crisis involving our critical suppliers or operations? (Although the intensity and urgency and unpredictable nature of a live attack is probably unlike anything that can be rehearsed, the drills can be invaluable as they can expose vulnerabilities in the system and can help build muscle memory on how to handle an attack).
• Can we communicate to customers, regulators, investors quickly and credibly in such a scenario?
• Do we have all of these plans in a paper format so we can access if our systems go down?
• Have we identified the basics of what is needed to keep the business going in the event of a cyber attack?
• Do we know who accountable: who is the “owner” of cyber resilience — CISO, CIO, Board, COO?
• Are cyber considerations in all major investments, vendor contracts, M&A due diligence, and strategic initiatives?
• Do we need to expand and enhance our oversight of all suppliers, third parties, contractors with access to data/systems?

Embedding cyber resilience into strategic decision‑making is no longer optional — it’s an expectation from stakeholders, regulators, and the market.

Consultants, Vendors, and Clients: We’re All Part of the Chain

Resilience is only as strong as the weakest link in the ecosystem. Whether you are a client, a consultant, or a technology provider, you have a role to play in building collective security and resilience.

As consultants, we must:

• Maintain high security and resilience standards ourselves.
• Support clients in scenario‑planning, third‑party risk management, and recovery strategy.
• Lead by example with transparency, certifications, and proactive engagement on security.

As clients, you should:

• Hold vendors and partners accountable for resilience and not just SLAs.
• Build incident response scenarios that involve your supply chain.
• Make resilience part of procurement, contract management, and service design.

Moving Forward: A Resilience‑First Strategy

Cyber resilience is now a key pillar of competitive advantage. It’s not just about surviving an incident; it’s about operating confidently in a world where incidents are inevitable.

The recent cyberattacks have shown us the cost of unpreparedness. But they’ve also clarified what’s needed:

• We need to think beyond protection, and plan for continuity and recovery.
• We need to build resilient architectures, not just secure ones.
• And we need to act now, not after the fact.

With losses of hundreds of millions (in the case of M&S) the financial stakes are clear. Organisations that can detect fast, respond effectively, and recover quickly — while maintaining customer trust and business momentum — will stand the best chance of surviving, and even thriving. In short: prevention, resilience, and fast recovery are far cheaper than reacting after the fact.

If you are interested in finding out more about our cyber security offering please take a look here and connect with our Principle – Dr John McCarthy.

About the author, Alex King.

Alex spent the first ten years of her career at Accenture specialising in change management & process design for financial services organisations. She then moved to roles at Deutsche Bank and Credit Suisse where she worked on large scale HR transformation projects.

More recently she has worked for a startup Lloyd’s of London Broker as Head of Organisational Effectiveness.

When Alex is not working, she enjoys a renovation project, spending time with family and friends and is a keen visitor to all things National Trust!