Category: Blogs & Videos

Written by Hattie Irving – Cyber Security Consultant – Cyberfort  

Within all modern organisations there is a technical supply chain which underpins how that organisation not only functions, but also how it protects itself. Recognising the importance of IT supply chains and minimising disruptions and vulnerabilities should be an ongoing focus for all organisations. Protection of IT supply chains is becoming increasingly important for small and medium-sized enterprises (SME’s) which are increasingly becoming targeted for supply chain attacks due to their less rigorous security risk-management measures.

The EU ICT supply chain security toolbox seeks to provide member states with a common and structured approach to securing their supply chains. Its key objectives are:

  • Create and foster a common understanding of supply chain security risks
  • Identify potential threats, vulnerabilities and risks within the supply chain through a scenario-based methodology
  • Provide recommendations to secure the ICT supply chain

The ultimate objective of the EU supply chain toolbox is to provide guidance on effective measures for managing security risks at each stage of the services lifecycle across hardware, software and managed security services. The IT supply chain toolbox is technology agnostic and aims to focus on the assessment of supply chain risk rather than targeting specific technologies.

This toolbox aims to not only educate organisations around how they can better manage their security risk and technology but to provide them with the examples to empower them to manage their security.

Three things the toolbox does

1. It makes risk scenarios real and actionable

Abstract risk language can be confusing when it comes to effective security governance. Telling a board that ‘supply chain threats are increasing’ generates concern but without the right business context – how it will affect business KPI’s, and KBI’s it rarely generates action. The EU ICT Supply Chain Security Toolbox aims to replace theoretical risk with real quantifiable risk aligned to an organisation’s goals and objectives.

It identifies risk scenarios across three categories:

  • Deliberate threats such as ransomware attacks against managed service providers and the insertion of counterfeit hardware components
  • Unintended threats including faulty software updates cascading across dependent systems
  • External events such as supplier lock-in and geopolitical disruptions that could constrain an organisation’s ability to operate with a vendor they have relied upon for years

These scenarios are not hypothetical. They are drawn from documented incident patterns, ENISA threat intelligence, and the collective experience of national cyber security authorities. For IT teams, they provide a structured way for assessing supply chain exposure, not in the abstract, but against specific, realistic threat pathways.

2. It gives organisations a structured mitigation framework

The toolbox does not stop at identifying risks. It provides seven recommendations grouped across four strategic pillars, giving organisations a clear action framework rather than a list of concerns.

The first pillar demands a robust framework for ICT supply chain risk management, moving beyond point-in-time assessments to establish structured, repeatable processes that cover the full supplier ecosystem, including the tier-two and tier-three dependencies that most organisations currently have limited visibility into.

The second pillar addresses supply chain resilience through diversity, the toolbox highlights that single-vendor dependency is a strategic vulnerability, and that multi-vendor strategies are not just commercially sensible but a security ‘must have’.

When it comes to the third pillar it focuses on situational awareness and operational cooperation, the kind of structured information sharing between organisations and sectors that transforms isolated security teams into a networked defence community.

The fourth pillar looks to the longer term – building a resilient, trusted, and transparent industrial base through standards alignment, security certification, and an interoperable ecosystem where Software Bills of Materials (SBOMs) and cryptographic attestation become baseline procurement expectations.

Each of these pillars has immediate operational implications for IT teams. They are not aspirational; they are the measures against which your supply chain security programme will increasingly be assessed.

3. Extended scope to critical sectors through dedicated risk assessments

The toolbox is accompanied by two Union-level coordinated risk assessments that signal where the EU considers the supply chain threat to be most acute right now.

The first focuses on connected and automated vehicles, a sector where the convergence of hardware complexity, software dependency, and remote update capability creates a large supply chain attack surface. The NIS Cooperation Group recommends that the Commission and Member States identify proportionate measures to de-risk EU supply chains from high-risk suppliers, particularly in processing and decision-making systems and vehicle control components capable of receiving remote updates.

The second focuses on detection equipment used at borders and customs, infrastructure that sits at the intersection of physical and digital security, and where supply chain compromise could have consequences that extend well beyond the cyber domain.

For IT teams operating in or as part of these sectors, these assessments are not background reading. They are a direct signal of where regulatory scrutiny will intensify.

The competitive dimension IT Departments are missing

From our discussions with several customers over recent months at Cyberfort we know that supply chain security conversations are not happening in enough boardrooms. Instead of supply chain security being seen as another compliance task to complete it should be treated as a competitive differentiator.

Organisations that can demonstrate structured, auditable supply chain risk management will increasingly win procurement decisions, particularly in public sector and regulated industries where NIS2 and DORA compliance is a requirement for suppliers. Organisations that cannot demonstrate this will find themselves excluded from opportunities, regardless of how competitive their core offering is.

The EU ICT Supply Chain Security Toolbox provides the framework to build that capability credibly and systematically. IT teams who engage with it proactively, embedding its risk scenarios into their vendor assessment processes, aligning their procurement governance with its recommendations, and investing in the information sharing infrastructure it calls for, will be ahead of the curve when national authorities begin enforcement.

Those who wait for enforcement to begin will be playing catch-up in a regulatory environment that has less tolerance for delay.

So what does this look like in practice?

An example scenario for an organisation to consider from the EU ICT supply chain toolbox which would apply to most organisations is;

A Cloud service provider has a datacentre outage due to human error which prevents access to millions of domains including your organisations. This disruption to your web application has its root cause traced back to an air vent being mistakenly closed in the datacentre which although simple to remediate has left many organisations’ online services down or working at limited capacity after they failed services over to other datacentres. This extended period of downtime raises concerns around the resilience of hosting vital organisational infrastructure in the cloud.

How would the analysis of this look?

Type of incident: Service outage

Root cause: Human error

Supply chain: Cloud computing provider, organisational users of the cloud computing provider

Threat actor who could use this scenario to their advantage: Advanced persistent threats, Organised crime groups, Insiders in the supply chain

Vulnerability: Poor practices by cloud computing provider, poor supply chain management by the end user organisation

Impact: Reputational damage, service disruptions (availability and integrity)

For organisations these types of incidents and risks should be considered as part of their operations. They need to consider how they would they recover if something like this were to happen and do they have any measures in place to minimise the damage it would cause to their operations.

Without a business continuity/disaster recovery plan in place an organisation may struggle how to prioritise remediation and get their operations up and running again.

Where to start with developing a business continuity plan

Firstly, identify your most critical and time sensitive operations and the impact that disruption to any of these operations would have. Measure the impact and likelihood of these operations being disrupted and attribute a timescale as to how long your organisation would continue with these services deprecated.

Plan your response strategy – having processes in place to not only identify issues as they arise, but also how technical support are contacted in case of an emergency and what the roles look like for the involved teams will be a first step in bringing the organisation back to its full operations.

Consider the recovery – define the steps which would be required in a variety of scenarios which would need to be completed in order to recover these critical services. That could be server failover to a new region or removal of malware from a server depending on which risks you have defined. Create a team which know how to start recovery and who know where to find the necessary materials to begin the recovery process

Train around your key risk scenarios – you may have plans written but do you know these plans work in practice, consider running tabletop exercises to train staff around how they might work in a  real-world situation. This will identify key areas of weakness which can be considered and remediated before a real-world situation occurs.

Ensure communication channels are detailed within the organisation – In case of X happening this is the go-to team and people we need to help resolve it should be defined in the business continuity plan. Understanding who needs to be involved will speed up the time to recover rather than having people searching for the right teams when they’re under high time pressure.

Disaster could strike at any time day or night and the last thing you want is to be trying to work out who you need to call at 3am. Have plans for any regulatory or external comms you might need to make in case of a breach in GDPR or cases where your organisations attack is one with wide external consequences. This might be informing your suppliers, the ICO, customers or industry of what has happened and the steps you are taking to remediate.

Four top recommendations for effective incident response include:

  • Partners – know your supporting partners and contact details/process – Cyber Incident Response (CIR), Insurance, Legal
  • Decision process – Board responsibilities – have clear and known Board level decision and escalation processes
  • Empowering decision makers – rehearse and engage with Board stakeholders, educate any that are not Cyber aware
  • Exercising and planning, prioritise information sharing (reporting) etc

Disaster recovery planning

Disaster recovery plans go into greater depth than the business continuity plan defining the recovery objectives and how systems and data needs to be protected during an outage. The recovery time objective determines the maximum acceptable time the system or component can be down before it starts causing unacceptable damage to the organisation. This will be individual to the specific component of the organisation and will be based around the result of the business impact assessment (BIA).

As part of this process there will also be the need to define a recovery point objective (RPO) to answer the question. How much data can we afford to lose in case of a disaster? If the answer to the question is we cannot afford to lose any of this data – you may need to consider how you can improve your security posture to best protect this data as any and all systems can be compromised.

For data which your organisation feels they could afford to lose, build your disaster recovery plans accordingly.

How do business continuity and disaster recovery plans benefit the organisations who have invested in them?

Reduced downtime – keeping any security incident based downtime to a minimum is key to maintaining a good relationship with stakeholders. If your organisation find itself unable to recover previous customers may start to move to competitors who have been able to maintain operations during any cyber attacks or incidents.

Lower financial risk – the average cost of a data breach has been increasing year on year up until last year where it fell by 9% to $4.4 million due to improved speed of identification and containment as organisations have become more aware of their general risk landscape. 

Reduction in penalty risk – having a plan to mitigate data loss will reduce the overall security risk around your organisations data. Without appropriate measures in place to start data or system recovery the organisation can be left open to high penalties for losing sensitive customer information. This is most prevalent in healthcare, finance and government environments. Having plans and steps in place to recover your system should the worst happen might be the key to keeping your organisation functional during a cyber security incident – without them your organisation may be unable to fully recover.

Three immediate actions organisations should undertake following the release of the EU Supply Chain security toolbox

Now we have been through a practical example, what are the key actions IT and Cyber Security leaders should undertake to ensure they have a resilient supply chain and are implementing the right measures from the EU supply chain security toolbox?

It is clear that the toolbox is thorough in its recommendations for organisations. Implementing everything it recommends will take time – after all there is no ‘silver bullet’ to supply chain security. It requires technical, business and risk understanding and appropriate actions to take place on a regular basis not a ‘point in time’ exercise.

From our experience at Cyberfort if an organisation is serious about improving supply chain security they should start with the following three things:

1. Conduct a supply chain inventory that goes beyond tier one suppliers. Map your critical IT dependencies, services, systems, hardware, and software, including the vendors your vendors depend on. If you cannot name your tier-two suppliers for your most critical systems, you have a visibility gap that the toolbox is specifically designed to address.

2. Assess your vendor relationships against the toolbox’s high-risk supplier criteria. This includes not just technical security posture, but non-technical factors: geopolitical context, legal jurisdiction, foreign ownership structures, and the potential for state-compelled access.

3. Bring procurement and legal into the supply chain security conversation. Supply chain security cannot be managed by the IT or Cyber Security function alone. The toolbox’s recommendations on multi-vendor strategies, contractual security requirements, and incident notification SLA’s require procurement governance changes that IT teams cannot make unilaterally. The organisations that move fastest will be those whose IT teams have already built the cross-functional relationships to drive those changes.

If your organisation is looking to start or improve environment hardening through the use of the EU supply chain security toolbox, business continuity planning or disaster recover, contact us at [email protected] and one of our experts will be in touch to support you with your journey.

Written by Dan Wood – Group CISO – Cyberfort

The Digital Operational Resilience Act (DORA) and the Revised Network and Information Systems (NIS2) standard are two of the latest EU cyber security regulations designed to improve the security posture and cyber resilience of financial services firms.

Both regulations share the same general purpose of increasing their respective sectors’ overall transparency and security. Yet their approaches to this goal vary in several key aspects. In this article we’ll cover:

  • Key facts about DORA and NIS2
  • The importance of complying with each
  • Four main differences between DORA and NIS2
  • How the Vanta platform makes compliance easier to manage

What is NIS2?

NIS2 is an EU directive that imposes various requirements and controls on organisations within the Member States to help strengthen their cyber security posture. It’s an extension of the original NIS directive, expanding its scope to additional sectors for more comprehensive coverage.

The directive also introduces stricter and clearer cyber security requirements than its predecessor, as it provides prescriptive guidance in the newer version.

NIS2 came into effect in October 2024, so its implementation is well underway. If you haven’t adjusted your security controls to meet the directives requirements, now is the time to action to avoid potential legal repercussions and financial penalties.

What is DORA?

DORA is an EU regulation that applies to a wide range of financial entities, including banks, investment firms, insurance companies, and payment service providers. Its main goal is to ensure the stability of the EU’s finance and insurance sectors by strengthening their resilience to information and communication technology (ICT) threats.

DORA was enacted on the 16th January 2023 and the European Commission gave 24 months for its implementation. As of 17th January, 2025, compliance is mandatory, and the European Supervisory Authorities (ESAs) have already started their activities.

This means that DORA, besides NIS2, is another important regulation financial services organisations should comply with, and there are multiple reasons for this.

Why you should comply with NIS2 and DORA

The main reason to comply with both DORA and NIS2 is to fulfil your regulatory obligations and avoid potentially disruptive compliance gaps that can threaten your organisation’s security posture. Both frameworks prescribe effective cyber security guidelines you should follow to protect your organisation from ever-evolving security threats.

Ensuring timely compliance will help organisations avoid considerable fines, potentially amounting to millions of euros. Both regulations also impose notable non-financial (including holding individuals or management personally liable) penalties in case of violations, which can significantly disrupt an organisations operations.

Even out-of-scope organisations who are not involved in Financial Services can benefit from adopting these frameworks for multiple reasons, including:

Improved cyber security posture: DORA and NIS2 require a granular overview of your security controls, helping you understand your cyber security posture and upgrade it with effective measures.

Operational continuity: Besides the legal and regulatory complications you might encounter if you don’t comply with DORA and NIS2, you can also avoid severe disruptions caused by different types of security breaches.

Industry-wide transparency: Both DORA and NIS2 strive toward an industry-level increase in security transparency in their respective sectors, creating a more stable and trusting operational environment.

Improved stakeholder trust: Demonstrating DORA and NIS2 compliance shows responsibility towards your regulatory obligations and data protection, giving stakeholders more confidence when they engage with your organisation.

Harmonised security compliance: DORA and NIS2 bring together various guidelines from different authoritative sources, offering a holistic approach to cyber security.

The 4 key differences between NIS2 and DORA

While NIS2 and DORA share the same overarching goal and a few general attributes like legal weight and geographic presence, they differ in a few crucial aspects:

DifferentiatorNIS2DORA
Regulation TypeDirectiveRegulation
Implementation Deadline17th October 202417th January 2025
ScopeCritical sectors like energy, healthcare, and transport, and MSPs, MSSPsFinancial entities and ICT service providers
Key objectiveMitigation of ICT-related cyber security risks for the financial sectorStrengthening organisations’ overall cyber security posture beyond ICT risks
Focus areasNIS2 has a broader focus and aims to help organisations strengthen their overall cyber security posture beyond ICT risksDORA’s main focus is the effective mitigation of ICT-related cyber security risks for the financial sector
Non-compliance penaltiesFines can reach €10,000,000 or 2% of the global annual revenue

Top management can be held personally liable		Fines of up to 2% of total annual worldwide turnover or up to €1,000,000 for individuals

For ICT providers, penalties of €5,000,000 or up to €500,000 for individuals

The table above covers broad distinctions, but let’s take a closer look at four differentiators that can impact your compliance strategy:

  • Regulation type
  • Scope
  • Focus areas
  • Non-compliance penalties

1. Regulation type

NIS2 is a directive, meaning it leaves room for Member States to specify the details regarding its implementation. The specific controls and obligations can vary as long as each jurisdiction can develop an enforceable framework aligned with the directive’s broad requirements.

By contrast, DORA is a regulation, meaning it’s universally applicable to in-scope entities across the EU and doesn’t allow the same leeway as NIS2. The regulation imposes the same rules on all EU Member States and their organisations, making it less interpretative than NIS2.

Despite the differences in implementation, NIS2 and DORA are both mandatory. The latter can be implemented by following the European Commission’s guidance, while NIS2 might require additional guidance from the governing body of your specific jurisdiction.

2. Scope

DORA primarily applies to EU-based financial services organisations and ICT service providers. Several examples of both categories are outlined below:

Entity TypeExamples
Financial Services Credit institutions
Trading venues
Credit rating agencies
Account information service providers
Crypto asset service providers
Banks
Investment firms
Insurance and reinsurance undertakings
Payment service providers
Fintech companies
Finserv organisations
ICT services supporting critical or important functions of the financial entity Cloud services
Network security service providers
Voice over internet protocol (VoIP) providers
Managed Security Service Providers (MSSP)
Outsourced IT and cybersecurity services
Managed service providers (MSP)
Data centres

NIS2 has a broader scope and encompasses multiple sectors, including:

  • Energy
  • Transport
  • Banking
  • B2B ICT service management
  • Postal and courier services
  • Waste management

Organisations within these sectors can be classified into two categories under NIS2:

DifferentiatorEssential EntitiesImportant Entities
Size Threshold250+ employees, an annual turnover of €50 million, or a balance sheet of €43 million (varies by sector)50+ employees, an annual turnover of €10 million, or a balance sheet of €10 million (varies by sector)
Example Sectors Health
Water
Digital infrastructure
Energy
Transport		 Waste management
Manufacturing
Digital providers
Postal services
Foods

The classification is based on an organisation’s industry and size. NIS2 primarily targets large and mid-sized organisations, though small businesses and startups might be impacted under specific conditions outlined in Article 2.

While NIS2 applies to a broader range of organisations, financial services organisations and their ICT service providers should prioritise DORA, as it takes precedence under lex specialis. However, organisations subject to both regulations still must comply with NIS2’s general cyber security obligations in areas not fully covered by DORA, such as cross-sector co-operation and information-sharing requirements for critical infrastructure.

Notably, both DORA and NIS2 may apply to your organisation, even if it’s domiciled outside the EU. If you provide services to entities within Member States, you may need to implement at least some of the prescribed controls.

Therefore, organisations must ensure full compliance by meeting both the specific requirements of DORA and the general requirements of NIS2.

3. Focus areas

DORA’s main focus is the effective mitigation of ICT-related cyber security risks for the financial sector. The regulation is built upon five pillars:

ICT risk management: Your organisation needs to have a dedicated control function responsible for identifying, assessing, and mitigating ICT risks.

ICT-related incident management: You need a documented incident response program that encompasses the detection, containment, resolution, and notification of ICT-related incidents.

Digital operational resilience testing: You must develop, implement, and ongoingly review a digital operational resilience testing program that helps you uncover and patch security vulnerabilities.

ICT third-party risk management: DORA requires a robust third-party risk management (TPRM) framework that will simplify the detection and mitigation of third-party ICT risks.

Information sharing: DORA allows (but doesn’t require) entities to exchange cyber threat information with other organisations in the financial sector to increase readiness and transparency.

NIS2 has a broader focus and aims to help organisations strengthen their overall cyber security posture beyond ICT risks. Some of the key cybersecurity risk-management measures encompassed by it include:

  • Policies on risk analysis and information system security
  • Incident handling
  • Business continuity (backup management, crisis management, etc.)
  • Supply chain security
  • Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
  • Policies and procedures to assess cyber security risk-management measures
  • Cyber security training and basic security hygiene
  • Cryptography and encryption
  • Access control policies, asset management, and human resource security
  • Multi-factor authentication (MFA)

Even though both DORA and NIS2 address the security of external parties, NIS2 places a stronger emphasis on supply chain security. Meanwhile, DORA aims to ensure robust third-party risk management, covering a broader range of external service providers.‍

4. Non-compliance penalties

In case of DORA non-compliance, organisations might face various administrative penalties, such as:

  • Cease and desist orders for non-compliant practices
  • Pecuniary measures as defined by the Member State’s governing body
  • Requests for data traffic records

Financial entities are also subject to fines of up to 2% of their total annual worldwide turnover or up to €1,000,000 for individuals. For ICT providers, the penalties stand at €5,000,000 or up to €500,000 for individuals.

Organisations that fail to comply with NIS2 can also encounter non-monetary penalties and criminal sanctions for C-level executives. They may also face substantial fines, specifically:

Essential entities: A maximum fine of at least €10,000,000 or 2% of the global annual revenue, whichever is higher

Important entities: A maximum fine of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher

Besides lower penalties, important entities face less stringent supervision than essential entities. While essential entities must be more proactive, important entities are subject to ex-post supervision, meaning oversight occurs after evidence of non-compliance or security breaches emerges.

Both NIS2 and DORA can also hold members of management personally liable for cases of gross negligence and wilful misconduct. Still, regulators are not expected to impose personal penalties routinely, enforcement will likely be exercised in extreme cases where non-compliance results from deliberate negligence or a disregard for security obligations.

Given these penalties and oversight differences, determining whether your organization falls under DORA, NIS2, or both is crucial to properly allocate resources.

Should you comply with DORA or NIS2?

Deciding whether to comply with DORA or NIS2 depends on your organisation’s sector. If you’re in the finance industry, you should comply with the former because it takes precedence over the equivalent requirements of NIS2. Otherwise, you may need to pursue NIS2 compliance if the directive applies to your organisation.

Either way, full compliance with these frameworks requires a structured approach. While DORA and NIS2 outline various controls, you might need more detailed prescriptive guidance for thorough implementation.

Without a clear roadmap, you might end up with unnecessarily complex and scattered workflows that can make timely compliance more difficult. To avoid such issues, you should ensure proactive compliance management.

A dedicated trust management platform simplifies this process by automating workflows, centralising documentation, and ensuring real-time compliance tracking, allowing you to achieve DORA and NIS2 compliance with less manual effort.

Ensure NIS2 and DORA compliance with Vanta

From our experience at Cyberfort we have found that Vanta is a comprehensive compliance and trust management platform which helps organisations to automate a significant portion of compliance workflows for NIS2 and DORA. It offers a dedicated NIS2 product that comes with various helpful resources, such as:

50+ technical controls
100+ document templates
600+ relevant tests
10+ policies

Combined with over 400+ integrations and advanced automation features, these resources give IT and Cyber Security teams a considerable headstart and improve the workflow efficiency of their compliance processes.

Vanta also offers an equally capable DORA product that simplifies compliance with all the relevant obligations. It can be used to improve an organisations security posture according to DORA’s requirements and ensure robust cyber resilience.

Whether you’re pursuing DORA, NIS2, or both, Vanta will automatically map your organisation’s existing controls to each regulation’s requirements. Doing so prevents duplicate work and lets you achieve compliance faster.

If your organisation would like to find out more about Cyberfort Governance, Risk and Compliance services and how we can help you to deploy the Vanta platform to save time and effort in ensuring you are compliant with NIS2 and DORA email us at [email protected] and one of our experts will be in touch.

Written by Hattie Irving – Cyber Security Consultant

Most organisations rely upon a range of suppliers to deliver products, systems and services to their business to keep them running, operating and delivering for customers. This makes mapping supply chains complex and ensuring they are secure difficult as vulnerabilities can be introduced at any point within the supply chain.

From our experience at Cyberfort we often see many organisations unaware of exactly who is in their supply chain and the security risks posed by different types of suppliers. For example, when was the last time you reviewed your organisations third-party vendors, logistics platforms, SaaS providers and Subcontractors? Each one represents a potential entry point into your business that you didn’t build, don’t control, and probably haven’t had the time to properly scrutinise.

If you don’t have a clear, continuously updated map of your supply chain’s attack surface, you are operating ‘blind’ in a threat landscape that has already figured out where your weaknesses are. In this article we explore the importance of supply chain mapping and its role in mitigating cyber security risks to an organisation.

What is supply chain mapping?

First of all before we delve into the detail of developing a supply chain map it’s important to understand exactly what supply chain mapping is and why it’s key to resilience down the line. Supply chain mapping is considered a form of risk management where organisations need to understand and mitigate the risk in their supply chain. For most this begins with their biggest suppliers and who may have access to their most sensitive data. Unfortunately, this is the stage that the majority of organisations stop at, meaning there are several layers of suppliers who may be operating in your digital environment without the right security certifications, appropriate controls, posture awareness or alignment to your organisation’s security standards.

A thorough supply chain mapping exercise for cyber security purposes is dynamic, technical, and intelligence-driven, not simply a spreadsheet exercise completed once a year before an audit.

It starts with discovery. Not just asking vendors to fill out a questionnaire, but actually identifying every digital touchpoint your organisation has with external suppliers. So what does discovery look like?  It is cataloguing third-party integrations, mapping data flows, identifying what access each vendor has at each privilege level, and understanding ‘shadow IT’ that business units have adopted without security oversight, to name a few. In most organisations, this discovery phase alone can reveal several undocumented connections that no one in the security team knew existed.

From this point, time should be taken to understand the concentration risk. How many of your critical operations depend on a single vendor? What happens if that vendor goes down, or is compromised?

The next layer to map is continuous monitoring. A point-in-time assessment of your supply chain is almost immediately out of date. Vendors change their infrastructure, new integrations appear, security practices are reactive not proactive to the changes, the threat intelligence landscape shifts. An accurate picture of your supply chain risk requires ongoing surveillance, not an annual review.

Finally, you need context. Knowing that a vendor has a vulnerability is only useful if you understand what that vulnerability means for your specific relationship with them. Do they have access to sensitive data? Do they sit upstream of a critical production system? Risk prioritisation requires that context, and building it requires both technical depth and business understanding that most internal security teams are not resourced to deliver.

Illustration 1 – Example of where suppliers might sit within an organisation in terms of their risk profile

Who is considered the highest risk?

Organisations which have privileged access to your systems are widely considered the highest risk factor in your supply chain despite core digital infrastructure being the foundation of your business.

Core digital infrastructure like your cloud provider or internet service provider although underpinning your entire digital business is considered a lower risk due to the cloud responsibility model which ensures cloud providers have to ensure a baseline level of protection of their users data.

The highest risk level sits with managed and professional services which have a wider reach of their own suppliers, greater human risk factors and often direct privileged access into your organisation. Where cloud and ISPs simply host your data they have little direct access into your organisation. Whereas managed services may be responsible for your service desk, identity and access management and potentially terminals into your infrastructure. If one of these partners or users are compromised the attacker will have direct access to your business.

Operational and software vendor risk is inherently lower than that of service providers as the software vendor or code libraries they are using would have to be compromised and persistent access gained for a malicious attacker to get into your environment – although still a high level of impact the likelihood of this happening is considerably lower.

Sub-contractors or any of the suppliers of your cloud hosts, service providers or software are the hardest to map, however should still be considered a risk either of the unknown or ranked by the likelihood of a sub-contractor or supplier being compromised and the effect it would have on your business. Due to its complexity this is often the last aspect of supply chain risk management to be completed as even if you can identify the risk you may not be able to mitigate it.

How can you mitigate risk of supply chain compromise?

Due to the interconnected nature of the digital landscape, completely avoiding supply chain risk is unlikely. But there are key actions you can take to limit your risk and potential exposure to threats via supply chain compromise:

  • Ensure your organisation has an up to date and centrally managed Software Bill of Materials (SBOM).
  • Track direct and indirect dependencies.
  • Reduce attack surface removing unused dependencies and unnecessary features.
  • Continuously monitor vulnerabilities.
  • Obtain components from trusted sources over secure links.
  • Only upgrade dependencies when there is a genuine need.
  • Monitor libraries and components which are unmaintained – if they are no longer being patched consider migration to a more secure version or create safeguards around the component.
  • Keep CI/CD pipelines updated.
  • Stage update deployment and ensure they are tested at each phase.

The question is how many of these actions have you recently undertaken and on what regularity basis? If unsure where to start this should be the time you engage with a supply chain security specialist who can work with you to understand your systems, process and interdependencies in relation to your organisations supply chain. In the next part of this article we explore several of the key actions highlighted above and their importance in the context of mapping your supply chain to reduce cyber risks.

Why a Software Bill Of Materials matters

The software bill of materials (SBOM) outlines which technologies you are using, understanding them is how you can track software vulnerabilities end-to-end and ensure they are remediated in a timely manner. Without fully understanding your in-use technologies you cannot track your tech-debt or vulnerable software. Your SBOM can also inform direct and indirect dependency tracking to understand how code dependencies impact your business operations.

Reducing your attack surface

If you aren’t aware of your SBOM you will struggle to reduce your attack surface, there may be additional products running which are not only unaccounted for but also unmanaged meaning any required updates of the software wont be done, which could leave you liable to zero-day vulnerabilities.

Maintaining updated CI/CD pipelines

Keeping your CI/CD pipeline up-to-date is a key practice for maintaining supply chain security and can be achieved using a series of defined practices:

  • Consolidate all CI/CD tooling into a single platform to reduce maintenance overhead and reduce need for context switching for developers.
  • Automate as much as you can, ensuring continuous automation can keep security scanning, deployment and infrastructure provisioning running in the background with minimal human oversight.
  • Shift left on security – CI/CD pipelines provide a great opportunity to shift security left by implementing security best practices into the pipeline as early as possible to reduce risk and build more inherently secure applications. Shifting left can also prioritise remediation quicker in the deployment pipeline making that last minute panic to patch bugs a thing of the past. Saving time, money and risk of releasing applications which could be compromised.

Tooling to support shifting security left include;

  • Static application security testing (SAST) – static tooling analyses code without execution to discover code vulnerabilities.
  • Software composition analysis (SCA) – SCA identifies open source code within codebases and automats the process of inspecting package managers, manifests, source code, binary files and container images to generate a SBOM. Using the SBOM the SCA tooling will then compare to databases listing exposed vulnerabilities, licensing issues and code quality issues to enable security teams to best prioritise mitigation.
  • Dynamic application security scanning (DAST) – DAST is a form of ‘black box’ testing where tooling will run the live application and find vulnerabilities in its functionality which may not have been identified by SAST.

Vulnerability monitoring

Once you know your technology stack and SBOM you can begin to craft vulnerability management processes to understand which software is vulnerable and any patching or updates you may need to undertake to ensure its security and potentially compliance with key security frameworks your business may be aligned to.

To build an effective vulnerability management process within your organisation first:

  1. Produce a SBOM and identify your data flows and their importance within your business.
  2. Ensure your systems have a secure configuration – aligning your systems to industry best practices like CIS benchmarking or NIST is a good place to start to avoid potential misconfiguration. Ensure these configuration methods are baked into any builds rather than trying to retrofit security once the deployment has been made.
  3. Perform vulnerability, DAST and SAST scanning.
  4. Conduct a risk assessment to inform stakeholders what the newly discovered vulnerabilities mean for the organisation. Are they exploitable, which systems do they impact and what is the likelihood of them being exploited.
  5. Train employees on security awareness, this should be more than a yearly awareness video, but something more interactive – simulated phishing or vishing to keep staff aware of the threats they face day to day.
  6. Perform penetration testing. Although vulnerability scanning is effective to discover any security issues prior to code deployment, penetration testing will validate if your security controls hold up under real-world security testing conditions. Once the pen test has been completed your organisation will receive a report outlining the findings and any security controls which need to be hardened to improve your organisations security.

Final Thoughts

Supply chain attacks have become the preferred entry route for sophisticated threat actors operating today – nation-state groups, ransomware cartels, and cyber espionage operations alike. The reason is simple; they scale. Compromising one upstream vendor gives access to dozens, hundreds, or thousands of downstream targets. The return on investment for the attacker is exceptional.

Meanwhile, regulators are closing in. DORA in financial services, the upcoming UK Cyber Resilience Act, NIS2 across critical infrastructure, and evolving requirements from the UK’s NCSC all increasingly mandate that organisations demonstrate active management of third-party cyber risk, not just contractual clauses hidden in vendor agreements.

The window for treating supply chain security as someone else’s problem is closing. The organisations that move now and take the time to map supply chains, build visibility, monitoring, and response capabilities across their supply chain will be the ones that turn a systemic industry vulnerability into a genuine competitive differentiator.

The ones that don’t will be leaving themselves vulnerable to attacks which could damage reputation, disrupt operations and impact revenue streams.

The key takeaway from this article should be – mapping your supply chain attack surface is not a project with an end date. It is a capability. Building it will require the right expertise, intelligence, and partners for organisations who want to remain secure, resilient and compliant in an ever-changing digital world.

If your organisation is looking to build a vulnerability management system, shift security left under DevSecOps practices, needs support with a software bill of materials or just looking to getting advice and support on how to foster a more secure supply chain environment contact Cyberfort at [email protected] and an expert will be in touch.

Written by Dan Wood – Group CISO – Cyberfort

ISO published the ISO 27001 standard to outline an information security management system (ISMS) in 2005. Since then, significant revisions have taken place in 2013 and 2022 to better reflect the evolving climate of cyber security threats and technologies.  In this article we cover the most current control requirements as established in ISO 27001:2022 and key differences to ISO 27001:2013.

This article will explain how the 2022 version of ISO has evolved from its 2013 predecessor and the current controls that your organisation can implement to become ISO 27001 compliant.

Why was the standard updated?

ISO 27001:2013 served organisations well for nearly a decade, but the threat environment it was written for has evolved significantly. Cloud computing, remote working, supply chain attacks, and the fact that connected devices are used in work and personal lives everyday have all fundamentally altered how risk presents itself. The 2022 revision was designed to reflect the changing threat landscape, aligning more closely with the broader ISO management system framework and incorporating lessons learned from widespread adoption of the 2013 standard.

Organisations that achieved certification under the 2013 version were given a transition period to move to the new standard, with the deadline for full transition set for October 2025. For any organisation who has not started their ISO 27001:2022 journey, it is now more important than ever before to upgrade to the new certification standards.

What are the current ISO 27001 controls?

ISO 27001 controls form the backbone of the ISMS. They are designed to address risks to information security and ensure that critical data remains confidential, available, and integral. The controls are divided into four categories, or themes, under Annex A: organisational, people, physical, and technological measures.

Annex A in the ISO 27001:2013 standard included 114 controls across 14 domains, including access control, cryptography, and incident management. The 2022 update reorganised and modernised these controls to align with cyber security challenges. Instead of 14 domains, the updated controls are grouped into four broader themes:

People: Addressing human factors in security, such as training and awareness

Organisational: Governance, risk management, and compliance practices

Physical: Protection of physical assets and locations

Technological: Safeguarding IT systems and infrastructure

The update aimed to simplify implementation and improve clarity as new threats emerge.

Key differences between ISO 27001:2022
and ISO 27001:2013

The shift from ISO 27001:2013 to ISO 27001:2022 introduced several notable changes:

Reduction and consolidation of controls

The number of controls has decreased from 114 to 93, with several consolidated to eliminate redundancy. For example, cryptographic policies and key management controls are now grouped under a single, streamlined control.

Introduction of “attributes” for enhanced context

‍The 2022 version introduces five attributes to help organisations understand the purpose and application of each control:

  • Cyber security concepts
  • Information security properties
  • Operational capabilities
  • Security domains
  • Control types (preventive, detective, corrective)

These attributes allow for a more flexible and tailored approach to implementing controls based on organisational needs.

New controls to address emerging threats

‍Fourteen new controls have been added, reflecting advancements in technology and the rise of threats like ransomware and supply chain attacks.  

The main controls which have changed and need to be taken care of in the new standards are arguably the most important thing for IT teams to understand. They were added because they reflect security challenges that were either absent or underrepresented in 2013. From our experience at Cyberfort the main changes in the 2022 version which need to be focused on by IT and Cyber Security teams are:

  • Threat intelligence (5.7) — Organisations must now demonstrate that they are actively gathering and acting on information about threats relevant to their environment. Ad hoc awareness of the threat landscape is no longer sufficient; there must be a structured process.

  • Information security for use of cloud services (5.23) — Given how central cloud infrastructure has become to most organisations, the 2013 standard did not address this directly. The 2022 version requires organisations to establish and manage information security policies and controls specifically for cloud usage, covering acquisition, use, management, and exit from cloud services.

  • ICT readiness for business continuity (5.30) — This control formalises the need for ICT continuity planning that is properly integrated into the organisation’s broader business continuity management.

  • Physical security monitoring (7.4) — Surveillance and monitoring of physical premises to detect and deter unauthorised access is now an explicit requirement.

  • Configuration management (8.9) — Secure configuration of hardware, software, services, and networks must be documented, implemented, monitored, and reviewed. This is a control that many organisations believed they were doing well, until they tried to evidence it formally.

  • Information deletion (8.10) — Data deletion requirements, aligned with retention policies and privacy obligations, are now a standalone control rather than embedded within broader data handling guidance.

  • Data masking (8.11) — The use of masking, pseudonymisation, and anonymisation to protect sensitive data is now explicitly required where appropriate.

  • Data leakage prevention (8.12) — DLP as a formal control is a significant addition, requiring organisations to implement measures to detect and prevent the unauthorised disclosure of information.

  • Monitoring activities (8.16) — Continuous monitoring of networks, systems, and applications to detect anomalous behaviour is now a named requirement.

  • Web filtering (8.23) — Management of access to external websites to protect systems from malware and to prevent access to unauthorised web resources.

  • Secure coding (8.28) — Secure software development principles must be applied to internally developed code, reflecting the growing importance of application security in the overall risk picture.

Taken together, these new controls show a clear picture of where ISO expected organisations to have gaps: cloud security, proactive threat intelligence, data governance, and continuous monitoring. For many IT teams, closing those gaps requires capabilities that are difficult to build in-house.

These changes may appear incremental, but they reflect a push toward greater rigour and demonstrability. Auditors will be looking for evidence of intentional, documented decision-making — not just good outcomes.

The transition challenge for IT and Cyber Security leaders

Understanding the changes is one thing. Managing the transition is another. For most IT and cyber security teams, the path from 2013 to 2022 certification involves several concurrent workstreams: gap analysis against the new controls, updating the Statement of Applicability, revising risk treatment plans, updating policies and procedures, and preparing staff for audit under the new requirements.

At the same time, the day job still needs to be completed. Incidents still happen. Projects still demand attention. Budgets still need defending. The result, for many organisations, is that the transition is delayed or delegated to team members who lack the bandwidth or specialist knowledge to execute it effectively. This is the context in which the value of a specialist MSSP and a platform partner like Vanta becomes clear.

How a specialist MSSP Partner can make the difference in achieving ISO 27001:2022

From our experience at Cyberfort helping 100’s of organisations to achieve the new ISO 27001 standard we have discovered that most internal IT teams, however capable, simply do not have time, skills or expertise to upgrade to the new standard on their own.

For example, at Cyberfort we can provide specialist knowledge across the full control set. The new Annex A controls, particularly threat intelligence, DLP, and continuous monitoring, require both technical capability and process maturity. A specialist MSSP will already have these capabilities deployed for multiple customers, meaning organisations benefit from experience that would take years to develop internally.

Continuous monitoring as a managed service, Control 8.16 requires ongoing monitoring of networks and systems. Building a credible in-house Security Operations Centre is expensive and resource-intensive. An MSSP provides this capability as a service, with 24/7 coverage, threat intelligence feeds, and experienced analysts, at a fraction of the cost of a comparable internal function.

Gap analysis and transition support is needed for ISO 27001:2022. A specialist MSSP can conduct a structured gap analysis against ISO 27001:2022, identifying where current controls fall short and providing a prioritised remediation roadmap. This accelerates the transition and ensures that effort is focused where it matters most for certification.

Documentation and evidence management is one of the areas where many organisations struggle the most. During audits it is important that IT and Cyber Security teams can demonstrate that controls are not just in place but are operating effectively. An experienced MSSP helps build and maintain the evidence base – audit logs, configuration records, incident reports, and review documentation, that auditors expect to see.

Supply chain security has a greater emphasis placed on it in the 2022 standard. An MSSP operating across multiple customer environments has broad visibility of supply chain risk patterns and can bring that intelligence to bear on behalf of individual customers.

Finally, achieving certification is not the end of the journey, maintaining it requires continuous attention. An MSSP provides the ongoing management that keeps controls effective, ensures policies are reviewed and updated, and prepares the organisation for surveillance audits without creating resource peaks that can overwhelm internal teams.

Implementing 27001 controls with Vanta

Implementing ISO 27001 controls can seem daunting as discussed earlier in the article. But there is a way forward. At Cyberfort we have partnered with Vanta to deploy and deliver automated compliance platforms to help organisations map existing controls to the updated standard, identify gaps, and implement changes seamlessly.

From our experience at Cyberfort we have seen first-hand how Vanta’s progress tracking and views of tests and controls overlap with complementary standards like SOC 2 and GDPR, which get you closer to multi-standard compliance for a fraction of the effort. The platform’s control mapping feature simplifies understanding how your current ISMS aligns with the 2022 framework, saving time and reducing complexity. Additionally, the platform’s continuous monitoring capability ensures that new controls like cloud service security are actively maintained, reducing the risk of non-compliance.

Final Thoughts

For IT teams, the move from ISO 27001:2013 to ISO 27001:2022 is not simply a compliance exercise. It is an opportunity to modernise the organisation’s security posture, address genuine gaps in cloud security and data governance, and demonstrate to customers, partners, and regulators that information security is taken seriously at every level.

The organisations that will navigate this transition most successfully are those that approach it strategically, treating the new standard not as a checklist to satisfy, but as a framework for building real resilience. A specialist MSSP, with the right expertise and the right compliance platforms like Vanta, is the partner that makes that outcome achievable.

The transition deadline has already passed. The question for IT teams is no longer whether to act, but how quickly they can get there, and who they choose to make the journey with them.

If you want to learn more about how to implement ISO 27001 controls effectively contact us at [email protected] and one of our experts will be in touch.

Cyber insurance news podcast host Martin Hinton talks with Glen Williams, CEO of ‪Cyberfort about how breaches really happen. This episode starts with the “high vis jacket attack,” then moves into the human factor, 24/7 monitoring, Cyber Essentials, and why compliance isn’t the same as resilience.

They also cover AI risk, SME cybercrime, and the three controls mid-market firms should prioritize: training, MFA, and an analog backup solution.

Written by Hattie Irving – Cyberfort Security Consultant

With the UK Government’s 2025 Cyber Security breaches survey reporting that just 14% of UK companies have reviewed their supply chain risks posed by their immediate suppliers, and 7% have reviewed their wider supply chain in the last 12 months is it time organisations started to take their supply chain security risks more seriously?

At Cyberfort in recent months we have been exploring why supply chain security is still such a ‘blind spot’ for many organisations. Afterall most people reading this article will know supply chains are widely interconnected and will have some understanding of security risks posed by their supply chain. So why is this area of cyber security still not being taken seriously enough? Are supply chains too complex for organisations to map or is supply chain security being left behind with other conflicting priorities taking precedence?

In this article we explore why supply chain cyber security needs to be taken more seriously, practical actions organisations should undertake and how to mitigate supply chain compromise risks.

Dispelling the Supply Chain Security Control Myth’s

Let’s start with a reality check. Most organisations have direct relationships with tens or hundreds of third-party suppliers. Those suppliers have their own suppliers, and those suppliers have theirs. Within these layers of separation, an organisations sensitive data and critical systems are potentially exposed to thousands of companies, operating under security postures your organisation has never reviewed, and you can’t effectively monitor.

Unfortunately, along the way supply chain security has fallen into a ‘tick-box exercise’ trap. Many organisations are building their supply chain security on a foundation of trust and verification that assumes good faith, static relationships, and accurate self-reporting; this as opposed to auditing and testing suppliers’ security controls.

But the reality is supply chains are dynamic, interconnected, and muddled. Compliance reports provide a ‘point in time’ snapshot that are outdated the moment they are published. It reflects what they believe to be true, not what actually is true.

From our experience at Cyberfort we have identified 5 common challenges organisations are facing when it comes to supply chain cyber security:

Low recognition or understanding of the risk that poor supply chain security can pose

Lack of investment to protect against supply chain risk

Limited visibility of supply chains

Insufficient tools and expertise to evaluate suppliers cyber security practices

Not knowing what you can ask of your suppliers

These challenges may appear easy to recognise and resolve on the surface. But the reality is, due to the complexities involved with supply chain security, the actions required to overcome them can be challenging without expert support.

Why is supply chain security a problem?

Managing supply chain security is the responsibility of all businesses.  Organisations who do not consider their cyber security posture an important part of their supply chain operations are putting their customers and potentially industry at risk of attack.

A lack of understanding of your organisations supply chain can leave you vulnerable to:

Software supply chain attacks – attackers will undermine security on a software system, library or product enabling access to organisations which use the product. SolarWinds is a key example of a software supply chain attack when a routine patch deployed by the company spread malicious software to their customers which had been added to the application after SolarWinds had audited their code. Any user using the infected Orion software and connected to the Internet would now be compromised.

Service provider supply chain attacks – attackers will target managed service providers (MSPs) or IT infrastructure vendors to reach as many clients at once. This was brought to global attention last year when M&S, Co-op and Harrods were all compromised by DragonForce who used social engineering to undermine security of IT helpdesk staff at Tata Consultancy Service (TCS).

Hardware supply chain attacks – malicious actors will undermine the authenticity of physical components during manufacturing to gain persistence in their targeted supply chain. One of the early examples of hardware supply chain attacks is Stuxnet – a worm introduced into the network of the Iranian nuclear defence facility via infected USB drives combining both hardware and software attack.

So what does this tell us? Your organisation may have already been indirectly compromised without even realising it.

Even if you detect anomalous activity in your environment, determining whether it originated from your infrastructure or came through a supplier is difficult. Modern attacks are designed to blend in with legitimate traffic, leveraging authorised access and trusted relationships to avoid detection.

When supplier credentials are compromised/stolen and used to access systems, the activity looks legitimate. When malicious code is injected into a software update, your systems install it voluntarily. When a compromised supplier employee account accesses your data, all the logs show is authorised access.

This creates a detection problem that most security teams are not equipped to solve.

Compliance doesn’t equal supply chain security

One of the major reasons supply chain security remains a ‘blind spot’ for many organisations is the misconception that ‘passing a compliance audit must mean we are secure’.

ISO certifications, SOC 2 reports, and supplier security questionnaires are all important and  have their place. But they create the appearance of diligence without reducing risk. Compliance frameworks are minimum baselines, not security guarantees. They measure what organisations claim to do, not what they actually do. They assess controls at a point in time, not continuously. Suppliers holding ISO 27001 is like having a valid MoT, your car has obtained the minimum roadworthiness. However it does not tell the us anything about that vehicles performance, how it is driven or how it performs under high levels of strain. Just because it has a pass today does not mean it will still be usable next week or month.

It’s important to note that the threat landscape evolves daily. New vulnerabilities are discovered, attack techniques emerge, suppliers change their infrastructure and implement new security practices. Quite often these recent changes are not reflected in certifications your organisation reviewed during supplier onboarding.

The harsh reality is an organisation can have a fully compliant supply chain and still be compromised.

Understanding Visibility Gaps

Most organisations have no idea what’s actually happening in their supply chain. As identified by the UK Government’s Cyber Breaches survey mentioned earlier in this article. Most businesses know who their suppliers are and might know what data and services they access. But they almost certainly don’t know what their suppliers’ suppliers are doing, what subprocesses are involved, where data is actually stored, or who has access to their systems at any given moment.

You cannot defend what you cannot see. You cannot detect anomalies in relationships you don’t monitor. You cannot respond to incidents in systems you don’t understand. You cannot recover from breaches when you don’t know how deep the compromise goes.

Modern attack methods exploit this gap. They compromise the parts of your supply chain that your organisation is not watching or monitoring and move through connections you didn’t know existed.

Does your Incident Response Plan incorporate your organisations supply chain?

Imagine discovering a breach tomorrow. Your incident response plan leaps into action. You isolate systems, contain the damage, begin forensic analysis. You notify customers, regulators, stakeholders.

Now imagine discovering that the breach originated from a supplier. Which supplier? When did it start? What data was accessed? How many other customers of that supplier are affected? Does the supplier even know they’re compromised?

Welcome to the supply chain incident response nightmare.

Traditional incident response assumes you control the compromised infrastructure. But in supply chain attacks, the initial compromise happened somewhere else, possibly weeks or months ago, in systems you don’t own, can’t access, and may not even know about.

Your ability to contain the breach depends on a third party’s ability to detect it, understand it, and respond to it. Your timeline for notification is limited by how long it takes the supplier to realise they’re the source. Your recovery depends on trusting that the supplier has fully remediated their systems before you re-establish the connection.

This is not a position you want to be in.

Do you know what your organisation can ask of its suppliers?

Supplier assessment can be easily overcomplicated. At Cyberfort we suggest you start small and map suppliers out – include software vendors, cloud services and anyone who has access to your data. From here rank them by criticality to your operations – who has the most access, who handles the most sensitive data and who can your business not survive without.

Once you’ve got a comprehensive list of your suppliers, track their answers to the following questions to better understand your supply chain security.

  • Do you have ISO27001 or cyber essentials certification?
  • Have you had a data breach, when and what happened?
  • How do you train your staff on security?
  • Have you assessed your suppliers security?
  • How is access to data controlled within your organisation?

How can you use your suppliers answers to better protect your business

Once you have defined your supplier’s security posture and understand what they do to protect themselves you can begin to think how to better protect your organisation.

Stress testing – test your suppliers security measures through tabletop and live exercises. Use simulations of low and high impact events to understand the limitations of your incident management process.

Incident and crisis management – Establish an effective incident management process to improve business resilience, support business continuity and reduce financial impact.

  • Ensure you have an agreed incident management process with your suppliers.
  • Run a crisis simulation exercise to model supply chain compromise and work through the initial steps your organisation would undertake.
  • Be prepared to provide support and assistance to suppliers where security incidents have thew potential to impact your organisation or the wider supply chain.
  • Share information with suppliers to help prevent them falling victim to cyber-attacks.

Be aware of your horizon  – changes in the types of cyber threat you are experiencing, vulnerabilities, best practices and technology may impact your supply chain security. Be aware of changes to geo-politics and the economy which may impact your business and its overarching supply chain security. Consider undertaking a threat modelling session to understand your key threats and how they may materialise for your business.

Ensure contracts have clauses to enforce high cyber security standards for suppliers. Any which have access to your company data should be compliant with your defined cyber security standards.

Consider cyber security insurance to work in parallel with your protective measures. If the worst case scenario does happen insurance will cover ongoing business costs which have arisen from dealing with a breach.

Final Thoughts

Managing supply chain risk doesn’t need to be a complex and time-consuming endeavour, taking small informed steps to begin mapping suppliers is the starting point. Ask them the right questions and plan appropriate mitigations around them and their suppliers is a great way to get started to fortify your businesses cyber operations. Start small with just one supplier to outline a process which works for you and your suppliers and build from there.

In 2026 it’s important to take supply chain security seriously. Based on what we have seen over the past 12 months it is highly likely your supply chain is already compromised. Somewhere in your supplier ecosystem, there’s a vulnerability waiting to be discovered, credentials waiting to be stolen, or an access point waiting to be abused.

The organisations that survive the next generation of supply chain attacks won’t be the ones with the most certifications or the longest supplier questionnaires. They’ll be the ones who built systems that assume compromise and invested in continuous visibility and response capabilities required to operate in a hostile environment.

The question is no longer whether you’ll face a supply chain attack. It’s whether you’ll detect it and bounce back from it should the worst happen and your organisation is breached. If this all feels too complex for you and your team seek professional guidance from an MSSP partner with the right credentials.

For more information about Cyberfort Supply Chain security services contact us at [email protected] and one of our experts will be in touch.

Join Cyberfort and Cybit for an on-demand webinar that lifts the lid on how attackers are now using AI to power ransomware, and what you can do to protect your organisation before it is too late. In this webinar, Cyberfort and Cybit will walk you through how AI is being used to design, adapt, and scale ransomware campaigns, and what this means for your data protection strategy. You will see how quickly an AI-driven attack can move, where most organisations are blind to risk, and what practical steps you can take to strengthen your defences.

Jake Upfield (Head of Solutions Advisory – Cybit) and Rob Vann (Chief Solutions Officer – Cyberfort) will combine real-world insight with a live walkthrough of how AI models can be applied inside ransomware systems, giving you a rare view into the attacker mindset.

Written by Declan Thorpe – Cyberfort Information Security Consultant

Cyber incidents rarely begin with a clear warning. Most start with small signals, a login that doesn’t fit a pattern, a process running where it shouldn’t, a connection that looks out of place. The organisations that spot these signals early tend to have more options, more time and more control over what happens next.

The incident Co-op faced in April 2025 highlighted this reality. Public reporting shows that the organisation acted early, intervening before the attackers were able to move deeper into systems or attempt more damaging activity. Early intervention of this kind usually reflects an ability to recognise unusual activity quickly and understand enough about the situation to respond with confidence.

In a year marked by several high-profile retail cyber incidents, Co-op’s response stood out for its steadiness. The organisation acted early, demonstrating the value of understanding your environment well enough to recognise when something is out of place and intervene before the situation grows. The incident reinforced that visibility is more than a technical concept; it is a practical enabler of timely, confident decision-making that can meaningfully influence the trajectory of an incident.

A quick look at what happened

Co-op experienced a cyber-attack that resulted in unauthorised access to personal data belonging to a very large number of its members. Public reporting linked the activity to known threat actor group, DragonForce. While the attackers were able to copy certain data, they were prevented from moving deeper into systems or deploying destructive tools.

Co-op’s leadership later explained that the organisation had clear visibility of the attackers’ activity, describing it as being able to “see every mouse click.” That level of insight, based on what was publicly shared, helped the organisation understand what the attackers had accessed and how far the intrusion had progressed. This clarity supported the investigation and allowed decisions to be made based on observable activity rather than assumptions.

Even with early detection and containment, the attack created operational challenges. Stores experienced stock shortages, some customers encountered payment issues, and the organisation reported a noticeable financial impact. Additional one-off costs were incurred as part of the response and recovery effort.

Despite this, the outcome could have been significantly more severe. Early insight into the intrusion helped prevent escalation, reduce uncertainty and support a more controlled response. It also highlighted the value of understanding what is happening inside an environment before the situation accelerates.

Why this was really a story about visibility and early detection

The Co-op incident illustrated how much difference early detection makes during a cyber-attack. Many organisations focus on recovery, but this case highlighted the decisions that come before recovery even begins, the moment when something unusual is first noticed and teams need to decide what to do next.

Several practical realities became clearer.

Early detection gives organisations more time and more options

Spotting unusual activity early allows teams to intervene before attackers escalate their access or attempt more damaging actions. Time is one of the most valuable assets during an incident, and early detection effectively creates more of it.

Visibility doesn’t require a large budget

A fully staffed SOC is valuable, but not every organisation can afford one. What matters most is understanding your assets, knowing what “normal” looks like and having monitoring in place that highlights meaningful deviations. These fundamentals are achievable for organisations of all sizes.

Informed decisions depend on knowing your environment

When teams understand their systems, dependencies and typical behaviour, they can interpret signals more accurately and avoid acting on assumptions. Visibility supports clarity, and clarity supports better decisions.

Containment is most effective when guided by insight

Containment works best when teams know what the attacker has done and what they haven’t. That clarity comes from visibility, not guesswork. Early insight helps teams act with precision rather than disruption.

The incident showed that visibility is not just a technical capability, it is a foundation for better decision-making. When organisations understand what is happening early, they can respond with greater confidence and reduce the likelihood of a wider operational crisis.

What Organisations Can Learn and Apply Right Now

Incidents like the one Co-op experienced highlight how important it is for organisations to understand what is happening inside their environment before an intrusion has the chance to escalate. The lessons are not unique to retail, they apply across sectors, especially where operations and customer facing systems depend on accurate, timely insight.

The following areas stand out.

Know Your Assets

You cannot detect what you cannot see. Organisations benefit from:

  • a clear, current view of their systems
  • understanding which assets matter most
  • awareness of where sensitive data lives
  • visibility of external facing services

Asset visibility is the foundation on which detection capability is built, if you don’t know what is in your environment then you don’t know what you are protecting. It reduces blind spots and helps teams recognise when something is out of place.

Monitor What Matters

Monitoring does not need to be complex or expensive. What matters is:

  • logging activity from key systems
  • watching for unusual authentication patterns
  • tracking changes to critical configurations
  • alerting on deviations from expected behaviour

Even basic monitoring can surface early signals that something is wrong.

Establish Clear Escalation Paths

Early detection only helps if teams know what to do next. Organisations benefit from:

  • simple, well understood escalation routes
  • clarity on who investigates alerts
  • thresholds for when to act
  • confidence that raising a concern is the right thing to do

This turns visibility into action. It ensures that when something unusual is spotted, it does not sit unnoticed or unaddressed.

Use Early Insight to Guide Containment

Containment is most effective when informed by what you can see. Early insight helps teams:

  • isolate affected systems
  • prevent escalation
  • avoid unnecessary disruption
  • focus recovery efforts where they matter most

This is where visibility directly shapes the outcome. It allows containment to be targeted rather than broad, controlled rather than reactive.

Build Recovery on a Verified Safe Place

Recovery is easier and safer when systems remain intact, and the organisation has a clear view of the intrusion. Early detection helps preserve the conditions needed for:

  • restoring from trusted backups
  • validating system integrity
  • reintroducing services safely
  • avoiding reinfection

Safe recovery starts with early insight. When organisations understand what has happened, they can restore services with greater confidence and predictability.

Treat Visibility as a Resilience Capability

Visibility is not just a technical feature; it is a foundation for resilience. It enables:

  • earlier intervention
  • clearer decision-making
  • more accurate scoping
  • safer recovery
  • reduced operational impact

Organisations that invest in visibility are better positioned to respond calmly and effectively when the unexpected happens. It is a capability that supports every stage of an incident, from detection to containment to recovery.

A more constructive way to look at It

The Co-op cyber-attack was disruptive, but it also highlighted where organisations can strengthen their resilience. It showed how early detection can shape the direction of an incident, and how understanding your environment supports more confident decision-making.

Incidents like this are not just challenges, they are opportunities to learn. They reveal where visibility can be improved, where monitoring can be strengthened and where preparation makes a meaningful difference. They also remind organisations that resilience is not built on a single control or a single team; it is built on the combined effect of awareness, clarity and the ability to act at the right moment.

For many organisations, the most important lesson is that early detection is achievable. It does not require a large security operation or complex tooling. It requires knowing your environment well enough to recognise when something is out of place, and having the confidence to act before the situation grows. That capability, the ability to notice, interpret and respond, is what turns a potential crisis into a manageable event.

The organisations that take these lessons on board tend to respond with greater confidence and experience less disruption when the unexpected happens. They invest in visibility not because it prevents every incident, but because it gives them the insight, they need to make better decisions under pressure. You need visibility, awareness and the ability to recognise when something isn’t right.

Seeing clearly, and seeing early, can change the entire trajectory of an incident.

For more information about Cyberfort security services contact us at [email protected] and one of our experts will be in touch.

Cyber incidents often make headlines because of the disruption they cause, but they also reveal how organisations operate behind the scenes. The 2025 incident at Jaguar Land Rover (JLR) did exactly that, bringing into focus how closely its operations are connected to suppliers, shared systems and the wider manufacturing ecosystem.

What stood out wasn’t just the interruption itself, but the way it exposed the dependencies that keep a modern automotive operation moving. Supply chains in this sector are highly interconnected, and even a brief pause can surface links that usually sit quietly in the background. The JLR outage made some of those connections more visible and offered a practical reminder of how quickly operational pressures can ripple outward.

Seen through that lens, the incident becomes less about the disruption and more about what it revealed. It highlighted the level of interdependence built into today’s manufacturing environments and pointed to clear opportunities for organisations to strengthen their resilience. The lessons are practical, achievable and relevant far beyond the automotive sector.

A Quick Look at What Happened

When the cyber‑attack occurred, JLR paused parts of its UK production to contain the issue, restore affected systems and verify that operations could resume safely. What initially appeared to be a short interruption extended as teams completed recovery work and confirmed that core processes were stable.

The disruption affected several areas:

  • Manufacturing: some production lines paused and schedules were adjusted.
  • Supply chain: suppliers of all sizes experienced delays as orders and timings shifted.
  • Logistics: movements of parts and finished vehicles were rescheduled, creating knock‑on effects across transport networks.
  • Retail operations: downstream activity changed as production timelines moved.

Throughout the incident, JLR prioritised system stability and close coordination with partners. Production returned gradually, with a focus on safety and continuity across the manufacturing network.

The pause also offered a clearer view of how operational dependencies surface during unexpected events. It showed:

  • how quickly changes in one area can influence others
  • how reliant modern manufacturing is on shared digital processes
  • how important coordinated communication becomes when operations need to adjust at pace

This helps explain why the incident resonated beyond JLR itself. The effects were felt across a broad ecosystem of businesses, reinforcing the importance of understanding supply‑chain dependencies before they are tested.

Why This Was Really a Supply Chain Story

While the incident was centred on JLR, the wider context sits within the structure of automotive manufacturing. The sector relies on a broad network of suppliers, shared digital platforms and coordinated logistics processes, and any disruption naturally draws attention to how these elements interact in practice.

A few operational realities were highlighted during the pause:

  • Digital systems support day-to-day operations. Modern manufacturing uses a range of digital tools for ordering, scheduling, supplier coordination and logistics. When these systems are unavailable or slowed, it can influence how physical operations run.
  • Production processes are tightly timed. Automotive manufacturing typically follows structured, time-sensitive workflows. Even small changes to those workflows can create adjustments elsewhere, simply because the system is designed to move at a steady pace.
  • Suppliers notice changes quickly. When production activity shifts, suppliers often feel the effects early. Larger suppliers may have more capacity to absorb changes, but smaller businesses can be more exposed to sudden fluctuations.

Taken together, the incident illustrated how interconnected the automotive sector is. When a major manufacturer experiences a disruption, the effects can be felt across organisations of varying sizes and roles. It also provided a clearer view of where resilience measures can make a meaningful difference.

What Organisations Can Learn and Apply Right Now

Incidents like this are disruptive, but they also shine a light on where organisations can improve. The lessons aren’t limited to automotive manufacturing they apply to any business that relies on suppliers, partners or digital systems.

Here are the key takeaways.

Map Your Supply Chain

Most organisations have a list of suppliers. Very few have a clear picture of:

  • which suppliers rely on which systems
  • how data flows between them
  • where the single points of failure are
  • which suppliers are genuinely critical

A clear supply-chain map doesn’t need to be complicated but it does need to be accurate. And it’s an effective way to spot risks before they become problems.

This is especially important for organisations with complex operations. Without a clear map, it’s almost impossible to understand how a disruption in one area might affect another. JLR’s experience showed how quickly a single incident can ripple across an entire ecosystem.

Set Clear Security Expectations for Suppliers

Security requirements shouldn’t be vague or buried in contracts. They should be:

  • specific
  • measurable
  • regularly reviewed
  • aligned with your own risk appetite

If suppliers are part of your attack surface, and they are, they need to be part of your security strategy.

This doesn’t mean expecting every supplier to meet the same standards as a global manufacturer. It means setting expectations that are proportionate, realistic and clearly communicated. When suppliers know what’s expected of them, they’re far more likely to meet those expectations.

Limit Supplier Access to What’s Necessary

A common weakness in supply-chain breaches is overprivileged access. Suppliers often have:

  • more access than they need
  • access for longer than necessary
  • access that isn’t monitored

Follow the principle of least privilege:

If someone doesn’t need access today, they shouldn’t have it today.

This isn’t about mistrust; it’s about reducing the number of doors an attacker could potentially walk through. Access should be granted sparingly, monitored closely and removed promptly when no longer needed.

Build Segmentation into Your Architecture

Segmentation is an effective way to contain cyber incidents. If one system goes down, it shouldn’t take everything with it. In JLR’s case, the attack affected production systems across multiple factories a sign that segmentation could have reduced the blast radius.

Segmentation doesn’t eliminate risk, but it buys time. And in a cyber incident, time is everything.

It also helps organisations recover more quickly. When systems are segmented, it’s easier to isolate the affected areas, restore unaffected systems and bring operations back online in stages.

Test Your Response with Supplier Focused Scenarios

Most incident response exercises focus on internal failures. But real-world incidents often start elsewhere.

Useful scenarios include:

  • a key supplier going offline
  • a shared platform being compromised
  • a supplier’s credentials being used maliciously

These exercises don’t just test your technical response, they test communication, decision-making and the ability to keep the business running under pressure. They also help identify gaps that might not be obvious during day-to-day operations.

Strengthen Communication Channels with Suppliers

During a crisis, silence creates confusion. Clear, pre-agreed communication paths help everyone respond faster and more effectively.

This includes:

  • knowing who to contact
  • knowing how to escalate
  • knowing what information to share
  • knowing how to coordinate recovery

Good communication doesn’t fix the problem, but it makes sure that the people who need to know, do know. It also helps maintain trust both internally and externally.

When suppliers know what’s happening, they can take action to protect their own systems and support your recovery efforts. When they’re left in the dark, they can’t.

Build Contingency Plans for Critical Suppliers

If a supplier goes down, what’s your plan B? Or C? Or D?

Even a basic fallback plan can keep operations moving while the primary supplier recovers. It doesn’t need to be perfect it just needs to exist.

Contingency planning isn’t about expecting the worst. It’s about being prepared for the unexpected. And as JLR’s experience showed, the unexpected can happen quickly.

A More Constructive Way to Look at It

The JLR incident was a reminder that even well-established organisations can face unexpected disruption and that the strength of the response often depends on the preparation done long before anything goes wrong. Cyber incidents will always create challenges, but they also highlight where processes, relationships and systems can be strengthened.

For many organisations, the lesson is clear: resilience isn’t built in the moment of crisis. It comes from having tested response plans, clear communication routes and a realistic understanding of how suppliers, partners and digital systems fit together. The organisations that invest time in this preparation tend to recover more quickly, maintain trust more effectively and minimise the wider impact on their operations.

The JLR case showed how interconnected modern supply chains are and how important it is to be ready for disruption, wherever it originates. Treating supply-chain resilience as a core part of cyber security isn’t just good practice, it’s a practical step towards ensuring that when something unexpected happens, the organisation can respond with confidence rather than scramble to react.

Preparation doesn’t remove risk, but it does shape the outcome. And in a landscape where incidents are increasingly common, that preparation is what allows organisations to absorb the shock, protect their reputation and return to normal operations with far less disruption.

For more information about Cyberfort Supply Chain Security services contact us at [email protected]  and one of our experts will be in touch.

Cyber-attacks aren’t a dramatic, once‑in‑a‑lifetime set of events, these days they are part of routine operations and they hit organisations of every size. In 2025 we saw this play out clearly when Jaguar Land Rover, Co‑Op and Marks & Spencer (M&S) all found themselves dealing with serious incidents. It was a blunt reminder that no brand is too established or too well resourced to avoid being caught out.

When something like this happens, the technical response is only half the story. The other half, and often the part that decides whether customers stay calm or start losing trust, is how the company communicates. Clear and honest updates can stop a difficult situation from turning into a reputational mess.

That’s what crisis communications is about: being upfront, cutting through confusion and helping people understand what’s going on without adding to the panic.

In 2025, M&S showed what it looks like when a company takes that responsibility seriously. In this article we review what M&S did well, lessons other organisations can learn from M&S’s response to their cyber-attack, and provide practical, actionable steps for businesses who want to make sure they have the right incident response and communication plans in place should they be attacked.

A Quick Introduction to Crisis Communications

So let’s get started. First of all, what is Crisis Communications and why are they so important in an incident response process?

Crisis communications are the structured approach organisations use to communicate during unexpected, high‑pressure events, anything from a data breach to a product recall to a global pandemic. The goal is simple: protect people, protect trust, and protect the business.

Why does it matter so much today?

  • Cyber-attacks are increasing in scale and impact. 2025 was more evidence of the notoriety of cyber risk increasing, with attacks deeply affecting economic stability and business continuity.
  • Customers expect transparency. Silence or vague statements erode trust faster than the breach itself.
  • Regulators are watching. Poor communication can lead to reputational damage and regulatory scrutiny.
  • Social media accelerates everything. Misinformation spreads instantly if organisations don’t fill the information vacuum.

Done well, crisis communications can turn a chaotic situation into a moment of leadership. Done poorly, it can turn a technical incident into a reputational disaster.

What Happened: The 2025 Marks & Spencer Cyber Attack

In April 2025, Marks & Spencer disclosed a major cyber-attack that severely disrupted its operations. The incident was identified as a ransomware breach which forced the retailer to shut down automated ordering and stock systems, leading to empty shelves and significant operational strain.

The impact was substantial:

  • Online sales were brought to a standstill
  • Food shelves were left bare
  • The financial hit was enormous
  • Disruption lasted for months

Despite the severity of the incident, M&S managed to maintain customer trust and protect its brand reputation. And that wasn’t luck, it was through communication.

How M&S Communicated During the Crisis

While the technical details of the attack were complex, M&S’s communication strategy was refreshingly simple: be honest, be visible, and be human.

They Communicated Early and Openly

M&S didn’t wait for rumours to spread or for customers to notice empty shelves. They disclosed the attack promptly, explaining the nature of the disruption and its expected duration.

This early transparency helped:

  • Set expectations
  • Reduce speculation
  • Demonstrate accountability
  • Build trust during uncertainty

In a world where many organisations still try to “keep things quiet,” M&S chose clarity over concealment.

They Provided Regular, Timely Updates

Throughout the incident, M&S issued ongoing updates to investors, customers, and the media. Timely updates prevented:

  • Confusion
  • Misinformation
  • Customer frustration

And importantly, they showed that M&S was in control, even if at times the situation itself wasn’t.

They Used Clear, Accessible Language

M&S avoided technical jargon and focused on what customers needed to know:

  • What happened
  • How it affected them
  • What the company was doing about it
  • When things would return to normal

This is especially important in cyber incidents, where overly technical explanations can alienate or confuse audiences.

They Demonstrated Leadership Visibility

M&S’s CEO played a prominent role in communications, offering reassurance and outlining recovery plans. His public statements emphasised both transparency and determination, including the company’s intention to use the disruption as an opportunity to accelerate technology transformation

Leadership visibility signals:

  • Accountability
  • Confidence
  • Stability

And it reassures customers that the organisation is taking the incident seriously.

They Maintained a Customer‑Centric Tone

Even while dealing with operational chaos, M&S kept the focus on customer experience. Their messaging acknowledged the inconvenience, explained the impact on stock and online services, and reassured customers that restoring normal service was the top priority.

This empathetic tone helped mitigate the psychological impact of the attack, particularly the anxiety customers feel when their favourite retailer experiences a breach.

Lessons Other Businesses Can Learn from M&S

The M&S incident offers valuable lessons for organisations of all sizes, not just retail giants.

Here are the key takeaways.

Transparency Builds Trust -Customers don’t expect perfection, but they do expect honesty. Being upfront about what happened and what you’re doing to fix it is always better than silence.

  • Speed Matters –The first 24–48 hours of a cyber incident are critical. Quick communication prevents rumours and demonstrates control.
  • Consistency Is Key – Regular updates – even if the update is “we’re still working on it” keep stakeholders reassured.
  • Leadership Should Be Visible – A calm, confident leader can steady the ship and reinforce trust.
  • Empathy Goes a Long Way – Cyber-attacks are stressful for customers too. Acknowledging their concerns helps maintain loyalty.
  • Preparation Makes Everything Easier – M&S’s ability to communicate effectively didn’t happen by accident. It happened because they had plans, processes, and trained people.

Cyber‑Focused Advice for Businesses Preparing for Attacks

If the Marks & Spencer incident taught us anything, it’s that crisis communications doesn’t exist in a vacuum. It’s tightly woven into cyber readiness, technical resilience, and the ability to make decisions quickly under pressure. Here’s how organisations can strengthen their cyber posture and their communication capability at the same time.

Build a Real‑World Incident Response Plan

Not a theoretical document. Not a dusty PDF. A plan people can actually use at 2am when the ransomware alarm goes off.

It should include:

  • Clear roles and responsibilities
  • Playbooks for the most likely attack types
  • A rapid approval process for communications
  • A single source of truth for updates

A good plan removes panic and replaces it with muscle memory.

Know Your Crown Jewels

You can’t protect everything equally. Identify:

  • Your most critical systems
  • Your most sensitive data
  • Your highest‑risk suppliers

This helps you prioritise both your technical response and your communications when something goes wrong.

Train Your People (Not Just IT)

Cyber incidents are cross‑functional events. Everyone needs to know:

  • How to report suspicious activity
  • What to say, and what not to say
  • How to route media or customer enquiries
  • How to avoid spreading unverified information

For example, Tabletop exercises are a great way to expose gaps and build confidence. At Cyberfort we recommend Incident Response plans are tested on annual basis as a minimum. The crisis simulation exercises undertaken should provide common attack scenarios tailored to your organisations specific sector so you can see where the communication, process and response gaps are in real time before an incident happens.

Prepare Customer‑Friendly Messaging in Advance

When an incident hits, you won’t have time to wordsmith. Pre‑prepare:

  • Holding statements
  • FAQs
  • Internal updates
  • Regulator‑ready notifications

Keep them simple, human, and jargon‑free.

Establish a Crisis Communications “Battle Rhythm”

Decide in advance:

  • How often you’ll issue updates
  • Who approves messaging
  • Which channels you’ll use
  • How you’ll coordinate with technical teams

This rhythm keeps everyone aligned and prevents misinformation from filling the silence.

Strengthen Your Technical Foundations

Good crisis communications are easier when your cyber basics are solid. Prioritise:

  • Access Controls
  • Regular patching
  • Network segmentation
  • Tested offline backups
  • Endpoint detection and response
  • Supplier risk assessments
  • Regular security reviews by a specialist MSSP

These controls reduce the blast radius, and the communication chaos.

Build a Culture of Early Reporting

The sooner you know something’s wrong; the sooner you can contain it. Encourage:

  • Zero‑blame reporting
  • Quick escalation
  • Transparency across teams

Culture is one of the most underrated cyber controls.

Final Thoughts – Communicating Through Chaos

Cyber-attacks are stressful, disruptive, and often expensive. But they don’t have to destroy trust. Marks & Spencer’s 2025 cyber incident showed that even in the face of major operational and financial disruption, strong crisis communications can protect a brand’s reputation and maintain customer loyalty.

By being transparent, timely, empathetic, and consistent, M&S turned a difficult situation into an opportunity to demonstrate leadership and resilience.

And the good news? Any business, large or small, can do the same with a bit of preparation.

Crisis communications aren’t about perfection. It’s about being human, being honest, and being ready.

As the saying goes ‘fail to prepare, prepare to fail’. At Cyberfort we believe ‘now’ is the time for organisations to start making sure they have the right tested incident response plans and crisis communications strategies in place. In today’s threat landscape it’s no longer ‘if’ you will get attacked it’s ‘when’. Those organisations who dedicate the right amount of time and effort to be prepared against cyber-attacks will find themselves with the ability to be more resilient and bounce back with minimal reputational damage.

For more information about Cyberfort Incident Response and Cyber Security Consultancy services contact us at [email protected] and one of our experts will be in touch.

Cyberfort
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.