Tag: Cyber Risk Management (Consultancy)

Written by Declan Thorpe – Cyberfort Information Security Consultant

Cyber incidents rarely begin with a clear warning. Most start with small signals, a login that doesn’t fit a pattern, a process running where it shouldn’t, a connection that looks out of place. The organisations that spot these signals early tend to have more options, more time and more control over what happens next.

The incident Co-op faced in April 2025 highlighted this reality. Public reporting shows that the organisation acted early, intervening before the attackers were able to move deeper into systems or attempt more damaging activity. Early intervention of this kind usually reflects an ability to recognise unusual activity quickly and understand enough about the situation to respond with confidence.

In a year marked by several high-profile retail cyber incidents, Co-op’s response stood out for its steadiness. The organisation acted early, demonstrating the value of understanding your environment well enough to recognise when something is out of place and intervene before the situation grows. The incident reinforced that visibility is more than a technical concept; it is a practical enabler of timely, confident decision-making that can meaningfully influence the trajectory of an incident.

A quick look at what happened

Co-op experienced a cyber-attack that resulted in unauthorised access to personal data belonging to a very large number of its members. Public reporting linked the activity to known threat actor group, DragonForce. While the attackers were able to copy certain data, they were prevented from moving deeper into systems or deploying destructive tools.

Co-op’s leadership later explained that the organisation had clear visibility of the attackers’ activity, describing it as being able to “see every mouse click.” That level of insight, based on what was publicly shared, helped the organisation understand what the attackers had accessed and how far the intrusion had progressed. This clarity supported the investigation and allowed decisions to be made based on observable activity rather than assumptions.

Even with early detection and containment, the attack created operational challenges. Stores experienced stock shortages, some customers encountered payment issues, and the organisation reported a noticeable financial impact. Additional one-off costs were incurred as part of the response and recovery effort.

Despite this, the outcome could have been significantly more severe. Early insight into the intrusion helped prevent escalation, reduce uncertainty and support a more controlled response. It also highlighted the value of understanding what is happening inside an environment before the situation accelerates.

Why this was really a story about visibility and early detection

The Co-op incident illustrated how much difference early detection makes during a cyber-attack. Many organisations focus on recovery, but this case highlighted the decisions that come before recovery even begins, the moment when something unusual is first noticed and teams need to decide what to do next.

Several practical realities became clearer.

Early detection gives organisations more time and more options

Spotting unusual activity early allows teams to intervene before attackers escalate their access or attempt more damaging actions. Time is one of the most valuable assets during an incident, and early detection effectively creates more of it.

Visibility doesn’t require a large budget

A fully staffed SOC is valuable, but not every organisation can afford one. What matters most is understanding your assets, knowing what “normal” looks like and having monitoring in place that highlights meaningful deviations. These fundamentals are achievable for organisations of all sizes.

Informed decisions depend on knowing your environment

When teams understand their systems, dependencies and typical behaviour, they can interpret signals more accurately and avoid acting on assumptions. Visibility supports clarity, and clarity supports better decisions.

Containment is most effective when guided by insight

Containment works best when teams know what the attacker has done and what they haven’t. That clarity comes from visibility, not guesswork. Early insight helps teams act with precision rather than disruption.

The incident showed that visibility is not just a technical capability, it is a foundation for better decision-making. When organisations understand what is happening early, they can respond with greater confidence and reduce the likelihood of a wider operational crisis.

What Organisations Can Learn and Apply Right Now

Incidents like the one Co-op experienced highlight how important it is for organisations to understand what is happening inside their environment before an intrusion has the chance to escalate. The lessons are not unique to retail, they apply across sectors, especially where operations and customer facing systems depend on accurate, timely insight.

The following areas stand out.

Know Your Assets

You cannot detect what you cannot see. Organisations benefit from:

  • a clear, current view of their systems
  • understanding which assets matter most
  • awareness of where sensitive data lives
  • visibility of external facing services

Asset visibility is the foundation on which detection capability is built, if you don’t know what is in your environment then you don’t know what you are protecting. It reduces blind spots and helps teams recognise when something is out of place.

Monitor What Matters

Monitoring does not need to be complex or expensive. What matters is:

  • logging activity from key systems
  • watching for unusual authentication patterns
  • tracking changes to critical configurations
  • alerting on deviations from expected behaviour

Even basic monitoring can surface early signals that something is wrong.

Establish Clear Escalation Paths

Early detection only helps if teams know what to do next. Organisations benefit from:

  • simple, well understood escalation routes
  • clarity on who investigates alerts
  • thresholds for when to act
  • confidence that raising a concern is the right thing to do

This turns visibility into action. It ensures that when something unusual is spotted, it does not sit unnoticed or unaddressed.

Use Early Insight to Guide Containment

Containment is most effective when informed by what you can see. Early insight helps teams:

  • isolate affected systems
  • prevent escalation
  • avoid unnecessary disruption
  • focus recovery efforts where they matter most

This is where visibility directly shapes the outcome. It allows containment to be targeted rather than broad, controlled rather than reactive.

Build Recovery on a Verified Safe Place

Recovery is easier and safer when systems remain intact, and the organisation has a clear view of the intrusion. Early detection helps preserve the conditions needed for:

  • restoring from trusted backups
  • validating system integrity
  • reintroducing services safely
  • avoiding reinfection

Safe recovery starts with early insight. When organisations understand what has happened, they can restore services with greater confidence and predictability.

Treat Visibility as a Resilience Capability

Visibility is not just a technical feature; it is a foundation for resilience. It enables:

  • earlier intervention
  • clearer decision-making
  • more accurate scoping
  • safer recovery
  • reduced operational impact

Organisations that invest in visibility are better positioned to respond calmly and effectively when the unexpected happens. It is a capability that supports every stage of an incident, from detection to containment to recovery.

A more constructive way to look at It

The Co-op cyber-attack was disruptive, but it also highlighted where organisations can strengthen their resilience. It showed how early detection can shape the direction of an incident, and how understanding your environment supports more confident decision-making.

Incidents like this are not just challenges, they are opportunities to learn. They reveal where visibility can be improved, where monitoring can be strengthened and where preparation makes a meaningful difference. They also remind organisations that resilience is not built on a single control or a single team; it is built on the combined effect of awareness, clarity and the ability to act at the right moment.

For many organisations, the most important lesson is that early detection is achievable. It does not require a large security operation or complex tooling. It requires knowing your environment well enough to recognise when something is out of place, and having the confidence to act before the situation grows. That capability, the ability to notice, interpret and respond, is what turns a potential crisis into a manageable event.

The organisations that take these lessons on board tend to respond with greater confidence and experience less disruption when the unexpected happens. They invest in visibility not because it prevents every incident, but because it gives them the insight, they need to make better decisions under pressure. You need visibility, awareness and the ability to recognise when something isn’t right.

Seeing clearly, and seeing early, can change the entire trajectory of an incident.

For more information about Cyberfort security services contact us at [email protected] and one of our experts will be in touch.

The rise of AI tools has been the fastest technology adoption curve in history. In under two years, millions of small businesses have started using tools like ChatGPT, Claude, and Midjourney to write marketing copy, summarise reports, or answer customer questions.

But as AI gets smarter, the risks become sharper and so does the need for governance.

The Double-Edged Sword of AI in SMB’s

AI can turbocharge productivity. It drafts documents, analyses trends, and automates repetitive admin at a fraction of the cost of human time. But behind the promise lies a fundamental truth: AI is only as safe as the data and instructions you feed it.

When staff paste client information, financial details, or internal plans into public AI tools, that data can be stored, processed, and used to train external models. It leaves your organisation permanently exposed, even if the upload was “just a quick test.”

Real-World Warnings

  • Samsung engineers accidentally leaked confidential source code by asking ChatGPT for help debugging it.
  • AI-generated phishing and voice cloning are now indistinguishable from the real thing -cybercriminals use these tools to impersonate CEOs and authorise fraudulent payments.
  • Marketing teams have faced copyright and privacy disputes after publishing AI-generated content built on protected data.
  • One SME experimenting with agentic AI bots – autonomous systems that act via APIs – accidentally flooded its internal Slack with thousands of automated messages, paralysing workflow for a day.

These aren’t hypothetical. They’re the early warning signs of a new risk class: AI misconfiguration and misuse.

Governance Is the New Firewall

AI governance doesn’t mean bureaucracy; it means boundaries. Businesses need to start taking this seriously and start by mapping where AI touches their business. For example, key questions which should be asked to assess where and how AI is being used in a business include:

  • What tools are employees using?
  • What data do they process?
  • Where do outputs go (to clients, websites, systems)?

Then, once you have answered the questions, a one-page AI Usage Policy should be created covering:

Approved tools and when to use them.

Data rules – never input confidential or identifiable information into public models.

Oversight – who reviews outputs before publication.

Accountability – who owns AI risk in your organisation.

Once you know where AI sits in your workflow, your MSP can help enforce controls like data loss prevention, sandboxing, and access logging.

The “Human in the Loop” Principle

AI is powerful but not autonomous. Even so-called “agentic” systems need human supervision.
Every AI-driven process should have a human checkpoint before any irreversible action happens (emails sent, payments triggered, data deleted).

Think of AI as an intern – fast, tireless, but prone to confidently getting things wrong.

Security Opportunities

There’s good news too: AI can strengthen your defences when used wisely. Modern detection tools use machine learning to identify anomalies faster than human analysts ever could. AI can summarise logs, flag risky behaviour, and help non-technical teams spot patterns they’d otherwise miss.
The difference between risk and reward is control.

Policy, People, and Partnership

The SMB advantage is agility, you can adapt faster than enterprises. Use that agility to get ahead with a few simple practices:

  • Assign an AI Lead to track developments, risks, and opportunities.
  • Include AI in your risk register and data governance policies.
  • Educate your teams: if they don’t understand how AI handles data, they can’t use it safely.
  • Work with your MSP to implement guardrails, such as API monitoring, MFA, and content-filtering on AI platforms.

Final Thoughts

AI isn’t the enemy. It’s the next evolution of productivity, and those who learn to govern it early will win. But governance can’t lag behind adoption.

As one security researcher put it: “AI doesn’t just make your business faster – it makes your mistakes faster, too.”

The question isn’t whether you’ll use AI; it’s whether you’ll use it safely. For more information about Cyberfort AI governance, risk and security services contact us at [email protected] and one of our experts will be in touch.

Glen Williams at Cyberfort describes five ways to elevate security measures beyond the UK’s Cyber Essentials Plus security standard

While cyber-security couldn’t rank a higher priority in the boardroom, there’s potentially a greater risk on the cyber-security agenda. It seems friction amongst leadership is creating a divide in business between the lack of a CISO or cyber-security representative at board level and the high cyber-security risks. This cavalier approach may in itself weaken cyber-defences and leave companies wide open to successful breaches.

In fact, the UK Government’s cyber-security breaches 2025 report reflects board reduction in specialist cyber-security representation, to the extent that board-level responsibility for cyber-security at company-director level has decreased from 38% to 27% over the last four years. But with almost three-quarters (72%) of business respondents seeing cyber-security as a ‘high priority’, there is a clear disconnect between the board responsibilities required and cyber-security reality.

This is likely the reason for the low average CISO tenure being estimated at 18 to 26 months, according to the CISO Workforce and Headcount 2023 Report from Cybersecurity Ventures.

The UK Government cyber-security breaches report also tells us that current threat levels for UK businesses remain high, with as many as 43% of businesses and three in ten charities experiencing some kind of cyber-security breach or attack in the last 12 months. Being targeted is inevitable, and security teams must plan for a successful breach.

Cyber-security complacency at board level

With more CISOs stepping away from the boardroom, and in an increasingly active and intelligent cyber-threatscape featuring ransomware and highly targeted social engineering attacks, it’s likely that their board director peers aren’t qualified to step up to the ownership of cyber-security responsibilities.

There is clear evidence of the need for information security representation at board level. Research by the World Economic Forum shows that those organisations that have strong executive involvement in cyber-security are 400% more likely to repel or rapidly recover from an attack.

In fact, Cyberfort’s own customer research has highlighted an alarming complacency – that many businesses consider a Cyber Essentials Plus (CE+) certification sufficient to keep their organisation secure and fulfil board requirements. As high-profile breaches continue to dominate the media agenda, this is a high-risk strategy.

Limitations of CE+

Cyber Essentials Plus is a Government-backed certification scheme recommended as the minimum standard of cyber-security for organisations. Cyber Essentials launched in 2014 to offer a self-assessment process for adequate protection. The CE+ certification requires the same protections, along with vulnerability testing which requires external auditing before a pass can be achieved.

CE+ covers five basic areas, which might at one point have been sufficient to counter cyber-risks: patch management, access control, malware protection, secure configuration, and boundary firewalls.

Yet one of the greatest shortcomings of the CE+ strategy is the lack of information on real-time threat detection and response, an essential tool for the earliest threat detection. CE+ wasn’t designed to protect organisations against advanced persistent threats (APTs), targeted attacks, or any evolving techniques by criminal groups, which are so prevalent today.

According to the UK Information Commissioner’s Office (ICO), over 80% of successful cyber-security incidents begin with phishing, yet CE+ has no requirements around simulated phishing or awareness training beyond general advice.

Five ways to elevate cyber-security protection

In taking the following cyber-security measures, security leaders will have the best chance of being protected in the event of a cyber-attack: 

  • Real-time threat detection and response – The use of Security Operations Centres (SOC), Security Information Event Management (SIEM) platforms, and Endpoint Detection and Response (EDR) are the most effective ways to counter a cyber-attack.
  • Phishing and social engineering resilience – This is the only way of outsmarting social engineering attacks where emails are highly personalised and look like they are coming from a known person.
  • Cloud and hybrid environment protection – CE+ still assumes a traditional network perimeter, ignoring many risks associated with modern SaaS, IaaS, and BYOD environments. The complexities of growing ecosystems are allowing vulnerabilities to grow.
  • Business continuity and incident response planning – Most remarkably, there is no requirement under CE+ to prove you can recover from a ransomware attack or data breach. Planning for the worst to occur is essential to fully understand potential risk.
  • Third-party and supply chain risk – As seen in recent high-profile breaches, attackers often exploit third party vendors or contractors to access their targets. As CE+ does not assess or govern these relationships, it’s up to each business to connect with its supply chain on relevant risks.

Consequences of gaps in protection

There are some serious risks associated with investing in and relying on CE+ alone. To start with, there are hefty fines payable for non-compliance, with the average ICO fine for a serious cyber-incident in the UK being £153,722 in 2024.

Insurers are also increasing demands, with some underwriters insisting on evidence of 24/7 monitoring and incident response plans to stay covered. Business partnerships are also becoming dependent on a company’s cyber-security posture, with rising expectations of ISO 27001 or sector-specific certifications such as NHS DSPT or PCI-DSS compliance.

The knock-on effects of a business’s reputational and financial damage can’t be ignored. According to Hiscox’s 2024 Cyber-Readiness Report, almost half (47%) of organisations struggled to attract new customers following a successful cyber-attack. A major UK-based systems integrator suffered a breach in 2023 that cost £25 million in recovery, fines, and lost business, despite having security certifications.

The impact on business operations can be extensive with far-reaching consequences. In 2024, the average ransomware incident led to 21-24 days of downtime and cost $2.73 million, according to NinjaOne.

Four key actions security leaders must take

Ultimately, information security decision-makers must take four key actions to ensure their organisation is secure, resilient and compliant:

1. Ensure board-level oversight of cyber-risk through regular briefings, KPIs, and executive ownership

2. Commission an independent cyber-risk assessment that goes beyond Cyber Essentials Plus

3. Invest in detection and response capabilities – whether in-house or outsourced

4. Adopt a recognised security framework such as the NCSC’s Cyber-Assessment Framework, NIST Cyber-Security Framework (CSF) 2.0, or ISO 27001

Organisations must recognise that CE+ certification is not sufficient to counter today’s cyber-threats: it is only a baseline standard.

As threat actors are evolving faster than defences, cyber-security leaders and those who are responsible for cyber-security at board level, must have advanced detection capabilities to identify threats as they arise. This means elevating practices beyond CE+ and adopting new tools and measures that will maximise their defences, with proactive planning for a breach that can limit impact on the business, stakeholders, customers, employees and the supply chain, should the worst occur.

Moving forward as organisations navigate through the cyber-security world, one thing is clear. Cyber Essentials Plus is the beginning, not the end. By acting now, business directors and cyber-security teams can safeguard their organisations, protect stakeholder trust, and meet their obligations in an increasingly hostile threat landscape.

Read the article on Teiss here: https://www.teiss.co.uk/cyber-risk-management/going-beyond-cyber-essentials-plus

Artificial Intelligence (AI) – one of the most discussed topics in the world of technology. Everyday people are releasing reports, thoughts and articles on what AI can potentially do and the positive impact it will have on businesses, government organisations and society both today and into the future.

Cyberfort
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.