That was part of the message the BBC reported was sent to Marks & Spencer’s CEO by the DragonForce criminal gang.
This quarter’s high-profile cyber attacks on Marks & Spencer and Co-op have prompted a number of organisations to reassess their cyber security.
This article is for individuals with limited time and technical expertise who need high quality cyber threat risk assessments and want to implement effective mitigations.
We’ve had an increased number of requests for cyber risk assessments, and it seems we’re not alone. Food Navigator, which provides “news and analysis on Food & Beverage Development & Technology”, reported a 320% surge in cyber security interest.
No CEO wants their operations locked and trade suspended. Whilst there are no guarantees of avoiding such attacks, you wish to have good answers when clients, stakeholders, insurers and the ICO ask questions such as:
CEOs want to attract and retain business, even in the worst-case scenario. So, they are double-checking their protections to ensure they are as strong a link in their supply chain as possible.
It’s not unusual for successful, fast growing companies to focus on building a successful business and then, a bit later than intended, turn their managerial attention to maturing their cyber security.
It’s also not unusual for organisations to be uncertain what they need to do. There are a bewildering number of cyber security options. Do you need certifications, pen testing, cyber security audits or something else?
Some organisations with outsourced IT remain confused or unconfident about their cyber security because it feels that there still isn’t someone responsible for viewing the organisation from a cyber security point-of-view.
This leads to engaging external cyber security consultants, who may provide sound advice and reports. However, despite best intentions, considerable time may elapse between the consultancy and action.
It would be nice if it were a case of “buy one thing” and all your cyber security worries are over. The cyber security sector analysis in 2025 conducted by the Department for Science, Innovation and Technology identified 2,165 security companies in the UK.
Unfortunately, cyber security requires layers of protection that are built over time, with each new step focused on mitigating the most substantial risk.
When you are shopping around for one or more trusted cyber security providers, we would consider their ability to work with you to deliver:
If you don’t have the fundamentals in place, you need to start there and ensure they are managed and monitored effectively.
To give you an idea, this includes such items as:
This isn’t by any means a comprehensive list of fundamental protections for data, devices and users but it gives you an idea of what reporting you might expect from someone managing your IT.
If it feels like you need to benchmark yourself in this area, it probably means that penetration testing or a dedicated cyber risk assessment is perhaps not your best first option. You would benefit more from a fundamental evaluation of your IT estate which would include cyber security fundamentals.
The Government wants the UK to be a safe place to do business and so its Cyber Essentials certification, even if you are not actually certifying for it, is a good starting target. The government encourages all businesses to meet the standard. Passing Cyber Essentials though is a snapshot in time. It shows you meet the standard on a given day, but your IT is changing daily and what happens the other 364 days of the year?
Once you have fundamental cyber security in place, most organisations enhance it (sooner or later, depending on budget and risk) with more sophisticated protections. Managed Detection Response (MDR) and System Information and Event Management (SIEM) are services that monitor devices and networks based not only on known threats but also on behaviour that appears suspicious. Often tied to a Security Operations Centre (SOC), they can intelligently intervene and raise alarms to human managers. The 24x7x365 nature of this intelligent monitoring is particularly useful in a world where we work anytime, anywhere and on any device.
Such measures are now being considered standard and affordable, even for small and medium sized businesses. The need is particularly pressing if your organisation is working with larger companies that stipulate you have certain security measures in place.
Organisations who have MDR, SIEM and SOC but still want, or are asked, to review their security will often run a Vulnerability Assessment. This is a method of identifying, assessing and reporting on security vulnerabilities across your IT environment. We offer the assessment in such a way that it can easily be extended to Vulnerability Management. This is a systematic process of finding, prioritising, mitigating and reporting cyber threats. It’s not a one-time fix, but an ongoing service demonstrating your commitment to being a safe link in the supply chain.
If you are currently shopping around for people to help assess and improve your cyber security, we would bear the following in mind. An assessment is commendable, but check that it will break the findings down in such a way that it allows you to prioritise and budget the next steps. What should you do differently, in what order, how soon and what’s it likely to cost? If they are only assessing or testing, are you able to handle all the next steps in-house? If not, it is best to find who can implement the changes and manage and monitor them on-going. You want to create a virtuous cycle of plan, do, monitor and review.
If we can assist with any of the assessment or implementation please get in touch. We’d love to talk with you to see how we can help.