Experts discuss cyber-attacks in 2025

Cyber-attacks have grown in scale, precision and impact – leaving no sector untouched. In this exclusive, ISJ draws on insights from experts to examine how the threat landscape is evolving.

In 2025, we have witnessed sophisticated cyber-attacks across a range of sectors, underscoring the need for intelligence-driven defence strategies.

From retail giants to charities, attackers are exploiting technological vulnerabilities, human factors and sprawling supply-chain dependencies.

Retail facing cyber-attacks

Criminals recently targeted Marks & Spencer and Co-op, leading to operational disruptions and financial losses.

These breaches, now classified as a Category 2 incident by the UK’s Cyber Monitoring Centre, demonstrate how intertwined digital and physical retail infrastructures can amplify risk.

“The M&S and Co-op attacks are yet another wake-up call that we must move beyond the illusion of total control in cybersecurity,” Jane Frankland MBE told International Security Journal.

“Resilience today means combining adaptive, intelligence-led defences with robust human risk management – because people remain both our greatest vulnerability and our strongest defence.

“We need to stop expecting employees to think like seasoned security professionals when their KPIs lie elsewhere,” continued Frankland.

“Instead, it’s on us as leaders to embed security into business processes, pairing adaptive security training with technical controls that evolve alongside the threat.

“Governments and industry have a role to play too – Australia’s ransomware disclosure rules and the FBI’s warnings to airlines about groups like Scattered Spider make clear that transparency and readiness are now business imperatives.

“But disclosure and collaboration is just part of the equation. We also need to leverage defensive technologies – continuous risk assessment, recovery testing, decoys and rapid restoration capabilities – to ensure organisations can contain, respond and recover quickly when, not if, attacks happen.”

“Classified as a Category 2 incident, the attack had a deep impact on each company and its partners,” said Andy Norton, European Cyber Risk Officer, Armis.

“For M&S the breach disrupted online orders […], customer data was compromised and the company faces an estimated £300m hit [according to many industry analysts] to operating profits alongside operational damage.

“The attack against Co-op also had significant operational and financial repercussions, despite the IT team taking systems offline to halt the breach.” These incidents underscore the growing risks in the retail industry – where short-lived disruptions can result in empty shelves, panic buying and broader supply chain problems.

“With sprawling digital supply chains, high volumes of customer data and the need for always-on operations, retailers have become prime targets,” Norton continued.

“Physical and virtual assets are deeply embedded in critical workflows. For example, a modern retail environment typically includes everything from CCTV cameras and electric vehicle charging stations to point-of-sale readers and self-checkout kiosks.

“Each of these technologies introduces new pathways for attack, as well as new dependencies.

“Without understanding how these systems interact, what data they handle and how they impact operations, it is impossible to prioritise risk effectively. Criminals are aware of this.

“This escalation has also been accelerated by attackers using AI to supercharge phishing campaigns, automate exploits and evade detection with alarming precision.

“In many cases, retailers’ legacy systems cannot be patched or taken offline for updates, making them ideal targets – and many organisations lack the resources to respond effectively.

“Unfortunately, the M&S and Co-op attacks aren’t isolated; other major retailers like Harrods […] have also been targeted. With retailers on high alert, adopting cyber exposure management offers greater visibility and reassurance.”

The weakest link

Not all cyber-attacks begin with a direct assault on a retailer’s systems.

Increasingly, the weakest link lies outside the core network – in third-party vendors, compromised credentials and even the personal devices of employees.

The M&S breach demonstrates the shift, showing how social engineering, supplier-side vulnerabilities and identity-based exploits are central to the modern attack playbook.

“The recent breach at Marks & Spencer is a perfect example of how cyber-threats are evolving,” added Kamran Bahdur, Technical Director, FLR Spectron.

“It wasn’t some zero-day exploit or sophisticated malware that triggered this disruption – it was a blend of credential compromise, supplier chain weakness and old-fashioned social engineering.

“That combination is becoming the go-to playbook for attackers.

“We’ve moved past the days where firewall logs and antivirus alerts told the whole story. What we’re seeing now is quieter, more strategic infiltration.

“Infostealers like Lumma, Raccoon and RedLine are harvesting credentials by the million, often through seemingly harmless downloads or poisoned search results.

“Once those details are in the wild, they’re sold, reused or combined with SIM-swapping attacks to bypass MFA entirely.

“With phone numbers in hand, criminals can intercept messages, reset passwords and take control of key accounts – without raising alarms.

“What’s worrying is that these attacks aren’t always directly targeting the business itself,” Bahdur continued.

“In the M&S case, the entry point appears to have been through third-party support partners, where login details were either phished or brute-forced.

“From there, attackers reportedly impersonated staff over the phone to reset credentials – a tactic that’s becoming disturbingly common.

“The most dangerous breaches now often come through the back door, not the front.

“The role of communications service providers (CSPs) in this ecosystem can’t be overlooked either. We’re seeing more cases where attackers exploit CSP portals, either through credential stuffing or by compromising supplier-side accounts with elevated privileges.

“Once inside, they can impersonate IT staff, spin up malicious access tokens, or move laterally across systems that weren’t designed with zero trust in mind.”

One thing is clear: No single security measure is sufficient on its own. Multi-factor authentication tied to a mobile number can be bypassed and perimeter defences are only as strong as the weakest third-party connection.

You also can’t expect users to catch every social engineering attempt, especially when attackers have enough personal information to be highly convincing.

“Organisations need to focus on layered defences – strong identity protection, phishing-resistant MFA, better monitoring of third-party access, and above all, regular simulations that train people to question what feels urgent, familiar, or routine.

“Because those are the exact gaps attackers are slipping through.”

Targeting people, not just systems

Today’s cyber-attacks target individuals and organisations of all sizes. As threats become more personalised, even charitable organisations like The Salvation Army are falling victim to ransomware.

Ron Zayas – online privacy expert and CEO of Ironwall by Incogni – explained how these cyber-attacks are evolving and why no organisation is immune: “The Salvation Army has found out the hard way that ransomware attacks are not just for big companies.

“But more telling may be how the Salvation Army may have gotten compromised [many] ransomware attacks now use personal information to target members of an organisation, infiltrate their personal devices and then work their way up an organisation until they achieve the right access.

“They are not attacking organisational servers or corporate devices; they are identifying who works for an organisation and going after their devices.

“But how do hackers know who to target and why are they so successful now?”

Cyber-criminals have often relied on brute-force tactics or targeted company infrastructure directly.

Today, however, attackers are also targeting individuals within an organisation, exploiting personal data to infiltrate systems. This growing trend highlights a critical vulnerability – our digital identities.

Zayas continued: “The answer is personally identifiable information – or PII – which is information on you. Combine it with AI and clever templates and you get a phishing email that is so targeted and so personal that many people (4-5% in fact) will think it real enough to click on it.

“Copious amounts of your personal information being sold on the cheap or stolen in breaches, then fed into generative AI engines, create emails that look like they are coming from a friend or family member.

“Click on the wrong link (Look! Pictures of the kids!) and your phone gets malware on it or your credentials get stolen.

“The longer the malware lurks, the more damage it can do, scraping up every password, credential and access point you can imagine.

“These types of attacks are more cost-effective and successful than attacking well-protected servers.

“Getting to the root of this problem involves cutting off the information engine that feeds the AI.

“Large language models can’t get enough info in to deliver good results, and likewise, phishing emails without large amounts of PII are not effective.

“So, if you want to protect your organisation, lower the digital footprint of your employees. Remove or significantly lower their PII from the internet.”