July 30, 2025
5 lessons from the frontline: What UK retailers can learn from 2025’s ransomware attacks
Martin Tyley
Global Lead Partner

As UK retailers made the press in a series of cyber-related incidents a familiar question surfaced again from colleagues - “Do we have a summary of key themes we can share with clients to support cyber conversations?”  It’s the kind of question that tends to arise in the middle of incidents – it happened with Wannacry, Solarwinds, Log4j, and no doubt will again when the next big event hits.

When these well-intentioned questions come in from colleagues, we draw on previous experience. We pause, reflect, and recognise the “there but for the grace of god...“ moment. We try to respond with insights designed to meet any version of that question.  

What’s changed for me over the last two years – and what gets stronger each time – is the understanding that when cyber risks are quantified, when measured and monitored regularly, we can answer those “what if?” questions with far greater confidence.

As the events of the last few months unfolded, it’s become clear, that the amount of effort spent to better understand the likelihood of cyber events, is disproportionate to the better understanding of their impact. True cyber resilience demands greater balance and perhaps if not equal attention – more than the 90/10 split I observe in discussions today.  

The imbalance in how we assess cyber risk is largely structural. As an industry, we naturally gravitate to what we know best – threats, vulnerabilities and controls. These are areas where Cyber teams are well equipped with established metrics, frameworks and models (even if some of the underlying models require closer scrutiny!).

In contrast, impact analysis requires cross-functional input and greater business context. It requires knowledge of value chains and revenue streams, a strong understanding of how areas such as reputational damage might impact short, medium and long-term business performance. These factors aren’t necessarily more difficult to quantify but they do require input from those outside of cyber – there will always be someone in another area of the organisation better equipped to answer what the impact will be of ‘x’ thousand lost customer records or of systems being unavailable for a period of days. So, for those reasons less effort is put into that analysis.  

Earlier this year, UK retailers faced a wave of ransomware attacks that tested not just their technical resilience, but their operational agility, regulatory awareness, and crisis leadership. While the headlines focused on disruption, and the likely perpetrators of the attacks, the focus for any organisation should be on the lessons we can all learn from these events.  

So, what are those lessons?

1. Recovery priorities must reflect more than protecting revenue

Some of the most impressive responses to cyber incidents this year came from organisations that backed up their values with swift, meaningful action – especially when it came to protecting vulnerable customers. That’s not just good crisis management; it’s brand-defining.

Recovery plans must reflect what matters to the business in calm times. When those plans account for regulatory, social, and financial impacts as well – decision-making during a crisis becomes faster, clearer, and more aligned with the organisation’s purpose. Ultimately, if it matters in your values, it should lead through action in your recovery strategy.

2. Know your minimum viable organisation

Understand in detail where automation is critical in your organisation and then understand and test your ability to operate without it. Document the essential people, processes, and decisions required to maintain a critical level of operations when tech fails and ensure teams are equipped to execute under pressure. As we embrace Agentic AI capabilities this will become even more critical.

3. Supplier confidence can make or break recovery

Gain confidence in how your suppliers will respond by including them in your crisis management simulations and build supplier contingency plans into your crisis playbooks. Understand and anticipate how your critical suppliers will respond if you can’t guarantee payment in the usual accepted timeframe.

4. Understand the impact of systems loss

Assess supply chains to help quantify downtime in business terms – mapping IT downtime to business downtime. Align recovery priorities with peak trading days(e.g. Saturday can be up to 35% higher than Thursday for UK shoppers) in order to have an accurate understanding of the cost of business disruption.

5. Aligned Communications Reduce Reputational Damage

Establish a cross-functional crisis communications team. The variety of questions and challenges organisations have faced this year have increased, including threat actors contacting the press directly and customers across multiple channels being prepared to interview on how the incident has disrupted their lives. Consistency across channels beyond press teams and to anyone engaging with customers is key to maintaining stakeholder trust.

Just like cyber defences, the ability to respond to an incident is about more than just technology – it’s about leadership, prioritisation, and preparedness. The events of 2025 have shown us that when the worst happens, the best-prepared businesses are able to not just respond but can even enhance their reputations in the face of adversity.

Read the next blog in the series

No items found.
Martin Tyley
Global Lead Partner
Martin Tyley is the Global Lead Partner of CRI. He has almost 30 years of experience working with clients on security transformation projects, defining and implementing security strategies, building solutions and providing assurance and certification services. Based in Manchester, Martin works across multiple industries and is passionate about changing the way we talk about Cyber Security.
Blog
5 lessons from the frontline: What UK retailers can learn from 2025’s ransomware attacks
Get your copy below.
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to read now.
Oops! Something went wrong while submitting the form.

Summary

As UK retailers made the press in a series of cyber-related incidents a familiar question surfaced again from colleagues - “Do we have a summary of key themes we can share with clients to support cyber conversations?”  It’s the kind of question that tends to arise in the middle of incidents – it happened with Wannacry, Solarwinds, Log4j, and no doubt will again when the next big event hits.

When these well-intentioned questions come in from colleagues, we draw on previous experience. We pause, reflect, and recognise the “there but for the grace of god...“ moment. We try to respond with insights designed to meet any version of that question.  

What’s changed for me over the last two years – and what gets stronger each time – is the understanding that when cyber risks are quantified, when measured and monitored regularly, we can answer those “what if?” questions with far greater confidence.

As the events of the last few months unfolded, it’s become clear, that the amount of effort spent to better understand the likelihood of cyber events, is disproportionate to the better understanding of their impact. True cyber resilience demands greater balance and perhaps if not equal attention – more than the 90/10 split I observe in discussions today.  

The imbalance in how we assess cyber risk is largely structural. As an industry, we naturally gravitate to what we know best – threats, vulnerabilities and controls. These are areas where Cyber teams are well equipped with established metrics, frameworks and models (even if some of the underlying models require closer scrutiny!).

In contrast, impact analysis requires cross-functional input and greater business context. It requires knowledge of value chains and revenue streams, a strong understanding of how areas such as reputational damage might impact short, medium and long-term business performance. These factors aren’t necessarily more difficult to quantify but they do require input from those outside of cyber – there will always be someone in another area of the organisation better equipped to answer what the impact will be of ‘x’ thousand lost customer records or of systems being unavailable for a period of days. So, for those reasons less effort is put into that analysis.  

Earlier this year, UK retailers faced a wave of ransomware attacks that tested not just their technical resilience, but their operational agility, regulatory awareness, and crisis leadership. While the headlines focused on disruption, and the likely perpetrators of the attacks, the focus for any organisation should be on the lessons we can all learn from these events.  

So, what are those lessons?

1. Recovery priorities must reflect more than protecting revenue

Some of the most impressive responses to cyber incidents this year came from organisations that backed up their values with swift, meaningful action – especially when it came to protecting vulnerable customers. That’s not just good crisis management; it’s brand-defining.

Recovery plans must reflect what matters to the business in calm times. When those plans account for regulatory, social, and financial impacts as well – decision-making during a crisis becomes faster, clearer, and more aligned with the organisation’s purpose. Ultimately, if it matters in your values, it should lead through action in your recovery strategy.

2. Know your minimum viable organisation

Understand in detail where automation is critical in your organisation and then understand and test your ability to operate without it. Document the essential people, processes, and decisions required to maintain a critical level of operations when tech fails and ensure teams are equipped to execute under pressure. As we embrace Agentic AI capabilities this will become even more critical.

3. Supplier confidence can make or break recovery

Gain confidence in how your suppliers will respond by including them in your crisis management simulations and build supplier contingency plans into your crisis playbooks. Understand and anticipate how your critical suppliers will respond if you can’t guarantee payment in the usual accepted timeframe.

4. Understand the impact of systems loss

Assess supply chains to help quantify downtime in business terms – mapping IT downtime to business downtime. Align recovery priorities with peak trading days(e.g. Saturday can be up to 35% higher than Thursday for UK shoppers) in order to have an accurate understanding of the cost of business disruption.

5. Aligned Communications Reduce Reputational Damage

Establish a cross-functional crisis communications team. The variety of questions and challenges organisations have faced this year have increased, including threat actors contacting the press directly and customers across multiple channels being prepared to interview on how the incident has disrupted their lives. Consistency across channels beyond press teams and to anyone engaging with customers is key to maintaining stakeholder trust.

Just like cyber defences, the ability to respond to an incident is about more than just technology – it’s about leadership, prioritisation, and preparedness. The events of 2025 have shown us that when the worst happens, the best-prepared businesses are able to not just respond but can even enhance their reputations in the face of adversity.

Key messages

01

02

03

Blog
5 lessons from the frontline: What UK retailers can learn from 2025’s ransomware attacks

Summary

As UK retailers made the press in a series of cyber-related incidents a familiar question surfaced again from colleagues - “Do we have a summary of key themes we can share with clients to support cyber conversations?”  It’s the kind of question that tends to arise in the middle of incidents – it happened with Wannacry, Solarwinds, Log4j, and no doubt will again when the next big event hits.

When these well-intentioned questions come in from colleagues, we draw on previous experience. We pause, reflect, and recognise the “there but for the grace of god...“ moment. We try to respond with insights designed to meet any version of that question.  

What’s changed for me over the last two years – and what gets stronger each time – is the understanding that when cyber risks are quantified, when measured and monitored regularly, we can answer those “what if?” questions with far greater confidence.

As the events of the last few months unfolded, it’s become clear, that the amount of effort spent to better understand the likelihood of cyber events, is disproportionate to the better understanding of their impact. True cyber resilience demands greater balance and perhaps if not equal attention – more than the 90/10 split I observe in discussions today.  

The imbalance in how we assess cyber risk is largely structural. As an industry, we naturally gravitate to what we know best – threats, vulnerabilities and controls. These are areas where Cyber teams are well equipped with established metrics, frameworks and models (even if some of the underlying models require closer scrutiny!).

In contrast, impact analysis requires cross-functional input and greater business context. It requires knowledge of value chains and revenue streams, a strong understanding of how areas such as reputational damage might impact short, medium and long-term business performance. These factors aren’t necessarily more difficult to quantify but they do require input from those outside of cyber – there will always be someone in another area of the organisation better equipped to answer what the impact will be of ‘x’ thousand lost customer records or of systems being unavailable for a period of days. So, for those reasons less effort is put into that analysis.  

Earlier this year, UK retailers faced a wave of ransomware attacks that tested not just their technical resilience, but their operational agility, regulatory awareness, and crisis leadership. While the headlines focused on disruption, and the likely perpetrators of the attacks, the focus for any organisation should be on the lessons we can all learn from these events.  

So, what are those lessons?

1. Recovery priorities must reflect more than protecting revenue

Some of the most impressive responses to cyber incidents this year came from organisations that backed up their values with swift, meaningful action – especially when it came to protecting vulnerable customers. That’s not just good crisis management; it’s brand-defining.

Recovery plans must reflect what matters to the business in calm times. When those plans account for regulatory, social, and financial impacts as well – decision-making during a crisis becomes faster, clearer, and more aligned with the organisation’s purpose. Ultimately, if it matters in your values, it should lead through action in your recovery strategy.

2. Know your minimum viable organisation

Understand in detail where automation is critical in your organisation and then understand and test your ability to operate without it. Document the essential people, processes, and decisions required to maintain a critical level of operations when tech fails and ensure teams are equipped to execute under pressure. As we embrace Agentic AI capabilities this will become even more critical.

3. Supplier confidence can make or break recovery

Gain confidence in how your suppliers will respond by including them in your crisis management simulations and build supplier contingency plans into your crisis playbooks. Understand and anticipate how your critical suppliers will respond if you can’t guarantee payment in the usual accepted timeframe.

4. Understand the impact of systems loss

Assess supply chains to help quantify downtime in business terms – mapping IT downtime to business downtime. Align recovery priorities with peak trading days(e.g. Saturday can be up to 35% higher than Thursday for UK shoppers) in order to have an accurate understanding of the cost of business disruption.

5. Aligned Communications Reduce Reputational Damage

Establish a cross-functional crisis communications team. The variety of questions and challenges organisations have faced this year have increased, including threat actors contacting the press directly and customers across multiple channels being prepared to interview on how the incident has disrupted their lives. Consistency across channels beyond press teams and to anyone engaging with customers is key to maintaining stakeholder trust.

Just like cyber defences, the ability to respond to an incident is about more than just technology – it’s about leadership, prioritisation, and preparedness. The events of 2025 have shown us that when the worst happens, the best-prepared businesses are able to not just respond but can even enhance their reputations in the face of adversity.

Key messages

01

02

03

Recent Insights

Are your cyber metrics giving you a false sense of security?

Is your organisation primarily using a traffic light system (red, amber, green) to manage cyber risk? You could be overlooking a crucial dimension of risk management.
Elizabeth Huthman
Blog

Cyber insurance needs better quantification

Cyber insurance has become a staple in many organisations’ risk strategies, but its strategic value is often under-leveraged.
James Hanbury
Blog

From Pilot to Capability: The Journey to Operationalise CRQ

CRQ can’t remain a pilot forever. To drive meaningful, repeatable value, it needs to mature into a business capability: trusted, embedded, and regularly informing decisions.
James Hanbury
Thought Leadership

See CRI in action

Book a personalised demo and discover how CRI can help you make smarter cyber risk decisions.
Book a demo