From M&S to JLR: proof cyber threats are crippling business

Production lines silent. Thousands of staff sent home. Orders stuck in limbo.

And while headlines will move on, the ripple effect will be felt for months.

This isn’t a one-off, it’s the new normal.

 We’ve said before that the big threat groups were moving towards shared resources and joint operations - the JLR attack confirms it. This isn’t a standalone example.

 Over the past 12 months, we’ve seen a wave of major breaches hit household names:

• Marks & Spencer and Co-op, both targeted via help-desk exploitation and social engineering, where attackers impersonated employees and persuaded IT staff to reset passwords, granting system access.
• Salesforce-related breaches impacting Google and other global brands, using vishing (phone-based social engineering) campaigns.
• Harrods, which was forced to restrict internet access across sites after unauthorised access attempts.

And the manufacturing sector is firmly in the crosshairs. Last year, manufacturing saw a 71% surge in threat actor activity. Of all victim organisations named on ransomware blogs and leak sites, manufacturing accounts for 22% - more than any other sector. As of last year, ransomware downtime has cost manufacturers an estimated $17bn, with average outages lasting 11.6 days at $1.9m per day.

And here’s the part that should make every business leader stop and think: the threat actors behind many of these attacks - Scattered Spider, LAPSUS$, and ShinyHunters - are now openly collaborating. Sharing tools. Sharing tactics. It’s organised crime, upgraded.

"Cybercrime isn’t just an IT issue - it’s a major business risk. Protecting against it takes a top-to-bottom approach, with every person in the organisation playing their part. Too often, boards hand security off to IT, but the truth is it needs to be owned across the whole business."
Charlie Blakemore, CEO at Intercity

Cyber attacks today aren’t just about stealing data. They’re about stopping business, locking you out of your systems until you pay millions and billions in Bitcoin. And even if you can keep operating, the reputational damage can take far longer to recover from than the technical fix.

And known vulnerabilities are stacking up. With Windows 10 reaching end of life on 14 October 2025, unpatched systems are about to become an open door for attackers.

Stop. Breathe. Act.

You can’t control who’s in the headlines next week. But you can control whether it’s you.

Our Director Security, Resilience and AI Practice Lee Doughty shares 4 points to keep your business ahead of the next breach.

People have long been called the biggest security risk. That’s still true, but as defences improve, attackers are shifting to the supply chain. No business operates in isolation. As businesses harden their security, bad actors look for vulnerabilities elsewhere.

Each time we accept an integration or connection, we could be adding a potential opportunity for a bad actor. Your business is only as strong as its weakest link – and that could be a third-party supplier. 

Patch known vulnerabilities promptly, particularly in third-party software. Delays in applying updates can leave your business vulnerable.  

Audit and revoke unused or outdated access credentials. Why gift a bad actor an opportunity? 

 Easy to write, hard to do properly. Bad actors target Operational Technology (systems that control physical processes, like factory machines and assembly lines) because:

-  It’s often less secure than corporate IT.

-  If they get access there, they can pivot into corporate IT systems.

-  Even without touching IT, OT can disrupt operations, by stopping production, halting machines, creating chaos.

Likewise, weak segmentation makes the containment of an attack manifestly more difficult:  if your networks aren’t properly separated, once an attacker breaches one system, they can move laterally across your network. That makes stopping an attack much harder and increases potential damage.

To contain the attack on them, JLR were forced to shut down all operations.  An effective containment, but massively disruptive. 

Which brings me to my final takeaway. 

Ignoring the threat is not an option. Businesses must plan, prepare, and test their response, so they can be ready for when an attack happens, not if.

Knowing what to do is only half the battle. These three solutions help you close gaps, gain visibility, and respond faster, turning insight into action before an attack hits:

1. Get strategic leadership on your security approach
   A Virtual CISO (vCISO) gives you board-level cyber strategy without the C-suite salary. They’ll spot blind spots before attackers do. [link to vCISO page]
2. Tighten the perimeter and plug the gaps
   An M365 Security Assessment can reveal misconfigurations and weak points attackers love to exploit and lock them down. [link to assessment page]
3. Detect and respond faster
   A Security Operations Centre (SOC) gives you 24/7 eyes on threats, so incidents are contained before they spiral into shutdowns.

The bottom line.

The JLR breach is the latest in a long list, but it won’t be the last.

Attackers are coordinated, well-resourced, and smart. They’re exploiting both technology gaps and human behaviour. The only way to counter collaboration is with collaboration: trusted partners, vCISO oversight, and an M365 security posture managed end-to-end. That’s where Intercity keeps you ahead.

If you want to know where you’re exposed (and how to fix it) start the conversation now. We’ll help you stay ahead of the threat, without the noise or panic.