In 2025, a spate of disruptive high-profile incidents proved once again that cyber risk is rarely confined to data loss or technical recovery challenges – incidents affect revenue, reputation and organisations’ ability to meet their contractual and regulatory obligations.

This blog post considers out what last year’s incidents told us and what organisations should prioritise ahead of their next audit and certification cycle.

A recap of some of 2025’s major incidents: what happened and why it matters

 

Marks & Spencer
M&S (Marks & Spencer) suffered a cyber attack over Easter 2025, in which customer personal data was stolen. The effects of the attack went further, however. Both its online and physical retail operations were affected: the company was forced to suspend online orders and disruption to automated stock systems meant shops struggled to keep shelves full.

Retail remains a high-value target for cyber criminals. A single incident can become a multi-week trading problem.

 

Jaguar Land Rover
JLR (Jaguar Land Rover) was forced to halt production across its three UK plants on 1 September following a major cyber attack that struck the night before. The disruption affected sites in Solihull, Wolverhampton and Halewood, stopping work for around 30,000 employees and leaving many of the 100,000 people in its supply chain without orders or pay, with some companies warning they were on the brink of collapse.

Smaller suppliers in particular struggled with cash flow, layoffs and workers placed on zero-hour contracts. In response, the government announced a £1.5 billion loan guarantee for JLR, intended to support the supply chain and protect jobs in the West Midlands, Merseyside and beyond.

This incident highlights how manufacturing resilience depends on recovery capability, not just perimeter defences, and how the knock-on effects of an incident can severely impact suppliers.

 

AWS, Cloudflare and Microsoft Azure outages

In November, a Cloudflare outage took a significant part of the Internet offline, including major sites, enterprise platforms and public-facing services.

Ironically, even Downdetector – the platform that provides real-time information about service outages – apparently went down for a time.

Given Cloudflare’s position in front of a substantial share of global Internet traffic – some 20% of websites worldwide, it says – the disruption was widespread.

This wasn’t an isolated incident, either: an AWS  (Amazon Web Services) outage about a month before caused similar disruption to thousands of dependent services and was followed a few days later by a smaller Microsoft Azure outage.

These incidents highlight the same core problem: most organisations now run services that depend on long chains of Cloud components. When one of those components fails, it can set off failures in systems that seem entirely unrelated.

 

The bigger picture: cyber crime in the UK

These weren’t isolated incidents. Just over four in ten UK businesses (43%) reported experiencing a cyber security breach or attack in the previous 12 months, according to the government’s Cyber Security Breaches Survey 2025.

So, what can you do to help prevent yourself from falling victim this year?

 

Key lessons for organisations

Lesson 1: Cloud dependency is a single point of failure
Cloud outages showed that a local issue leads to widespread outages when you have:

  • A single-region architecture.
  • Shared identity dependencies.
  • Centralised logging, monitoring, ticketing or comms on the same provider.
  • Weak exit plans and untested failover.

What “good” looks like in 2026:

  • Multi-region design for critical services.
  • Independent access paths for emergency admin.
  • Offline copies of runbooks, contacts and decision trees.
  • Regular failover tests that involve the business, not just IT.

 

Lesson 2: Retail and supply-chain attacks are still cost-effective for attackers
The retail sector has high transaction volume, multiple endpoints and aggressive change cycles. The automotive industry has complex plant systems, suppliers and logistics. All can be disrupted relatively easily, as last year’s major incidents show: attackers don’t need to carry out sophisticated attacks if victims’ access controls and supplier processes are weak.

What “good” looks like in 2026:

  • Tight supplier access, with clear joiner–mover–leaver controls.
  • Strong separation between business systems and operational technology where relevant.
  • Rapid containment capability, including pre-agreed isolation steps.

 

Lesson 3: Compliance is a baseline, not a shield
Mere compliance with standards like ISO 27001 helps, but doesn’t provide a 100% guarantee of service availability, recovery time or reputational protection – your information security practices need to continually improve, and you need continuity and incident response management plans to help you react when incidents do occur.

What “good” looks like in 2026:

  • Evidence of control operation, not just control existence.
  • Tested incident response and continuity procedures.
  • Measured recovery objectives that reflect the real business.

 

Lesson 4: Phishing works because of security controls drift
Most organisations have awareness training in place nowadays, but people still get caught out. The root cause is often operational drift: stale accounts, excessive privileges, poor MFA (multifactor authentication) coverage and weak processes for urgent access resets.

What “good” looks like in 2026:

  • MFA everywhere that matters, including admin and third-party access.
  • Phishing simulations tied to real training outcomes.
  • Strong verification for service desk resets and supplier requests.

 

Lesson 5: Audit readiness is now board-level resilience readiness
Regulators, customers and insurers increasingly expect proof: accountability means documentation, decision records and third-party assurance that can be produced fast.

What “good” looks like in 2026:

  • A living risk register linked to controls and owners.
  • Supplier assurance mapped to your most critical services.
  • Clear data maps for personal data, including processors and sub-processors.

 

Lesson 6: Patch management and configuration hygiene still fail in basic ways
Many incidents still begin with one overlooked weakness: unpatched systems, unknown assets, misconfigured Cloud services or unmanaged endpoints.

What “good” looks like in 2026:

  • A complete asset inventory that matches reality.
  • Measured patch SLAs that reflect exploit risk.
  • Configuration baselines and monitoring for drift.

 

What this means for ISO 27001 and GDPR compliance programmes in 2026

ISO 2700
2025 reinforced the need to treat Cloud and supply-chain controls as core, not optional. In Annex A of ISO 27001, the intent is explicit in controls such as:

  • A.5.23 on managing the acquisition, use and exit of Cloud services.
  • A.5.21 on managing information security in the ICT supply chain.
  • A.5.30 on ICT readiness for business continuity.
  • A.5.19 on supplier relationships.

Your 2026 audit preparations should include real evidence of Cloud governance, supplier controls and continuity testing, not just policies.

 

Data privacy laws, such as the GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018
2025’s incidents also underline familiar pressure points when it comes to compliance with data privacy laws – especially accountability:

  • You need demonstrable governance practices.
  • Supplier and processor controls must work in practice, not just in theory.
  • Incident response plans must support notification decisions and evidence.

Practical implication: Run your GDPR audit with operational scenarios in mind. Include “Cloud outage” and “supplier compromise” as standard test cases.

 

Practical recommendations

1) Run a compliance-plus-resilience health check

  • Scope ISO 27001 controls against real service dependencies.
  • Validate GDPR accountability evidence, not just statements.
  • Confirm business continuity assumptions against Cloud failure modes.

2) Reassess Cloud contracts and exit plans

  • Review service credits versus real loss exposure.
  • Define exit assistance, data portability and switch-over timelines.
  • Check multi-region commitments and shared-dependency risks.

3) Build scenarios around business impact, not threat headlines

  • “Provider region fails for 12 hours.”
  • “Core supplier loses admin access control.”
  • “Ransomware encrypts shared identity estate.”
  • “Customer contact data is exfiltrated.”

4) Test incident response properly

  • Run exercises with leadership present.
  • Confirm you can make decisions with incomplete data.
  • Ensure you can operate when core tools are unavailable.

5) Treat phishing and access management as control systems, not training topics

  • Enforce stronger verification for resets and supplier requests.
  • Reduce standing privilege and tighten admin access.
  • Monitor for account and configuration drift.

6) Tighten endpoint and device loss controls

  • Ensure encryption is enforced and evidenced.
  • Track device inventory and ownership.
  • Confirm rapid remote wipe and revocation processes.

7) Monitor the regulatory landscape and implement changes early

 

How GRC Solutions can help you

2025 showed that resilience, compliance and operational delivery are now inseparable.

The lesson for security, risk and compliance leaders is that 2026 planning needs to move beyond control coverage and audit readiness, towards demonstrable resilience.

That means understanding where your organisation depends on third parties, such as Cloud providers, ensuring incident response and business continuity arrangements are realistic, and being able to evidence how decisions are made and controls operate in practice, so you can demonstrate your compliance with the laws and regulations that affect you.

Whether you want to book a health check to see how your current practices compare to best practice, review your security controls or set a roadmap for improvements, we have everything you need.

Get in touch with our experts today to see how we can help you.

 

Talk to an expert