Tag: Incident Response (Detect & Respond)

Cyber-attacks aren’t a dramatic, once‑in‑a‑lifetime set of events, these days they are part of routine operations and they hit organisations of every size. In 2025 we saw this play out clearly when Jaguar Land Rover, Co‑Op and Marks & Spencer (M&S) all found themselves dealing with serious incidents. It was a blunt reminder that no brand is too established or too well resourced to avoid being caught out.

When something like this happens, the technical response is only half the story. The other half, and often the part that decides whether customers stay calm or start losing trust, is how the company communicates. Clear and honest updates can stop a difficult situation from turning into a reputational mess.

That’s what crisis communications is about: being upfront, cutting through confusion and helping people understand what’s going on without adding to the panic.

In 2025, M&S showed what it looks like when a company takes that responsibility seriously. In this article we review what M&S did well, lessons other organisations can learn from M&S’s response to their cyber-attack, and provide practical, actionable steps for businesses who want to make sure they have the right incident response and communication plans in place should they be attacked.

A Quick Introduction to Crisis Communications

So let’s get started. First of all, what is Crisis Communications and why are they so important in an incident response process?

Crisis communications are the structured approach organisations use to communicate during unexpected, high‑pressure events, anything from a data breach to a product recall to a global pandemic. The goal is simple: protect people, protect trust, and protect the business.

Why does it matter so much today?

• Cyber-attacks are increasing in scale and impact. 2025 was more evidence of the notoriety of cyber risk increasing, with attacks deeply affecting economic stability and business continuity.
• Customers expect transparency. Silence or vague statements erode trust faster than the breach itself.
• Regulators are watching. Poor communication can lead to reputational damage and regulatory scrutiny.
• Social media accelerates everything. Misinformation spreads instantly if organisations don’t fill the information vacuum.

Done well, crisis communications can turn a chaotic situation into a moment of leadership. Done poorly, it can turn a technical incident into a reputational disaster.

What Happened: The 2025 Marks & Spencer Cyber Attack

In April 2025, Marks & Spencer disclosed a major cyber-attack that severely disrupted its operations. The incident was identified as a ransomware breach which forced the retailer to shut down automated ordering and stock systems, leading to empty shelves and significant operational strain.

The impact was substantial:

• Online sales were brought to a standstill
• Food shelves were left bare
• The financial hit was enormous
• Disruption lasted for months

Despite the severity of the incident, M&S managed to maintain customer trust and protect its brand reputation. And that wasn’t luck, it was through communication.

How M&S Communicated During the Crisis

While the technical details of the attack were complex, M&S’s communication strategy was refreshingly simple: be honest, be visible, and be human.

They Communicated Early and Openly

M&S didn’t wait for rumours to spread or for customers to notice empty shelves. They disclosed the attack promptly, explaining the nature of the disruption and its expected duration.

This early transparency helped:

• Set expectations
• Reduce speculation
• Demonstrate accountability
• Build trust during uncertainty

In a world where many organisations still try to “keep things quiet,” M&S chose clarity over concealment.

They Provided Regular, Timely Updates

Throughout the incident, M&S issued ongoing updates to investors, customers, and the media. Timely updates prevented:

• Confusion
• Misinformation
• Customer frustration

And importantly, they showed that M&S was in control, even if at times the situation itself wasn’t.

They Used Clear, Accessible Language

M&S avoided technical jargon and focused on what customers needed to know:

• What happened
• How it affected them
• What the company was doing about it
• When things would return to normal

This is especially important in cyber incidents, where overly technical explanations can alienate or confuse audiences.

They Demonstrated Leadership Visibility

M&S’s CEO played a prominent role in communications, offering reassurance and outlining recovery plans. His public statements emphasised both transparency and determination, including the company’s intention to use the disruption as an opportunity to accelerate technology transformation

Leadership visibility signals:

• Accountability
• Confidence
• Stability

And it reassures customers that the organisation is taking the incident seriously.

They Maintained a Customer‑Centric Tone

Even while dealing with operational chaos, M&S kept the focus on customer experience. Their messaging acknowledged the inconvenience, explained the impact on stock and online services, and reassured customers that restoring normal service was the top priority.

This empathetic tone helped mitigate the psychological impact of the attack, particularly the anxiety customers feel when their favourite retailer experiences a breach.

Lessons Other Businesses Can Learn from M&S

The M&S incident offers valuable lessons for organisations of all sizes, not just retail giants.

Here are the key takeaways.

Transparency Builds Trust -Customers don’t expect perfection, but they do expect honesty. Being upfront about what happened and what you’re doing to fix it is always better than silence.

• Speed Matters –The first 24–48 hours of a cyber incident are critical. Quick communication prevents rumours and demonstrates control.
• Consistency Is Key – Regular updates – even if the update is “we’re still working on it” keep stakeholders reassured.
• Leadership Should Be Visible – A calm, confident leader can steady the ship and reinforce trust.
• Empathy Goes a Long Way – Cyber-attacks are stressful for customers too. Acknowledging their concerns helps maintain loyalty.
• Preparation Makes Everything Easier – M&S’s ability to communicate effectively didn’t happen by accident. It happened because they had plans, processes, and trained people.

Cyber‑Focused Advice for Businesses Preparing for Attacks

If the Marks & Spencer incident taught us anything, it’s that crisis communications doesn’t exist in a vacuum. It’s tightly woven into cyber readiness, technical resilience, and the ability to make decisions quickly under pressure. Here’s how organisations can strengthen their cyber posture and their communication capability at the same time.

Build a Real‑World Incident Response Plan

Not a theoretical document. Not a dusty PDF. A plan people can actually use at 2am when the ransomware alarm goes off.

It should include:

• Clear roles and responsibilities
• Playbooks for the most likely attack types
• A rapid approval process for communications
• A single source of truth for updates

A good plan removes panic and replaces it with muscle memory.

Know Your Crown Jewels

You can’t protect everything equally. Identify:

• Your most critical systems
• Your most sensitive data
• Your highest‑risk suppliers

This helps you prioritise both your technical response and your communications when something goes wrong.

Train Your People (Not Just IT)

Cyber incidents are cross‑functional events. Everyone needs to know:

• How to report suspicious activity
• What to say, and what not to say
• How to route media or customer enquiries
• How to avoid spreading unverified information

For example, Tabletop exercises are a great way to expose gaps and build confidence. At Cyberfort we recommend Incident Response plans are tested on annual basis as a minimum. The crisis simulation exercises undertaken should provide common attack scenarios tailored to your organisations specific sector so you can see where the communication, process and response gaps are in real time before an incident happens.

Prepare Customer‑Friendly Messaging in Advance

When an incident hits, you won’t have time to wordsmith. Pre‑prepare:

• Holding statements
• FAQs
• Internal updates
• Regulator‑ready notifications

Keep them simple, human, and jargon‑free.

Establish a Crisis Communications “Battle Rhythm”

Decide in advance:

• How often you’ll issue updates
• Who approves messaging
• Which channels you’ll use
• How you’ll coordinate with technical teams

This rhythm keeps everyone aligned and prevents misinformation from filling the silence.

Strengthen Your Technical Foundations

Good crisis communications are easier when your cyber basics are solid. Prioritise:

• Access Controls
• Regular patching
• Network segmentation
• Tested offline backups
• Endpoint detection and response
• Supplier risk assessments
• Regular security reviews by a specialist MSSP

These controls reduce the blast radius, and the communication chaos.

Build a Culture of Early Reporting

The sooner you know something’s wrong; the sooner you can contain it. Encourage:

• Zero‑blame reporting
• Quick escalation
• Transparency across teams

Culture is one of the most underrated cyber controls.

Final Thoughts – Communicating Through Chaos

Cyber-attacks are stressful, disruptive, and often expensive. But they don’t have to destroy trust. Marks & Spencer’s 2025 cyber incident showed that even in the face of major operational and financial disruption, strong crisis communications can protect a brand’s reputation and maintain customer loyalty.

By being transparent, timely, empathetic, and consistent, M&S turned a difficult situation into an opportunity to demonstrate leadership and resilience.

And the good news? Any business, large or small, can do the same with a bit of preparation.

Crisis communications aren’t about perfection. It’s about being human, being honest, and being ready.

As the saying goes ‘fail to prepare, prepare to fail’. At Cyberfort we believe ‘now’ is the time for organisations to start making sure they have the right tested incident response plans and crisis communications strategies in place. In today’s threat landscape it’s no longer ‘if’ you will get attacked it’s ‘when’. Those organisations who dedicate the right amount of time and effort to be prepared against cyber-attacks will find themselves with the ability to be more resilient and bounce back with minimal reputational damage.

For more information about Cyberfort Incident Response and Cyber Security Consultancy services contact us at [email protected] and one of our experts will be in touch.

Deepfakes, a portmanteau of “deep learning” and “fake,” refer to synthetic media, primarily videos or audio recordings generated or altered using artificial intelligence (AI) to depict people saying or doing things they never actually did. While deepfakes began as an entertainment or novelty tool, their growing sophistication has positioned them as a credible threat in the world of cybersecurity.

As organisations strengthen their digital defences against traditional attack vectors such as phishing, malware, and ransomware, deepfakes represent a newer and less-understood frontier. One that leverages AI to manipulate perception, erode trust, and bypass existing safeguards. This article explores the role of deepfakes in cybersecurity, how they are used maliciously, the implications for trust and identity, and the emerging defences and detection strategies within the cyber community.

Deepfakes as a Cyber Threat

The most immediate cybersecurity risk of deepfakes is their use in social engineering attacks. Traditionally, attackers might rely on spoofed emails or fake websites to trick individuals into revealing credentials or transferring funds. Deepfakes take this to a new level by adding highly convincing audio or video to impersonate individuals with significant authority, such as CEOs, CFOs, or even political leaders.

For example, there have already been high-profile cases where attackers used AI-generated voice deepfakes to impersonate executives and instruct employees to transfer money or share sensitive information. In 2019, criminals reportedly used a voice-cloned recording of a CEO’s speech patterns to trick an executive into transferring €220,000 to a fraudulent supplier. The deepfake mimicked not only the voice, but also the tone and urgency typical of the real executive, making the attack highly believable.

This kind of deception can bypass traditional email filtering and spam detection technologies, as the attack may take place via phone call or embedded media within a trusted communication channel like Teams, Zoom, or Slack. The threat landscape now includes synthetic impersonation, where deepfake audio or video is used to facilitate business email compromise (BEC), account hijacking, and financial fraud.

Impact on Trust, Identity, and Verification

The emergence of deepfakes challenges one of the foundational assumptions of cybersecurity: trust in verified identity. In both the corporate and public domains, trust in identity is paramount, whether that’s a voice on a call, a face in a video meeting, or a recorded message from a government official.

As deepfake technology becomes more accessible and cheaper to produce, attackers can exploit the “assumed authenticity” of media formats that were once considered difficult to fake. This leads to increased scepticism around the legitimacy of communications, which can paralyse decision-making and slow down operations.

For instance, in crisis scenarios such as ransomware attacks or geopolitical events, misinformation campaigns powered by deepfakes could manipulate public sentiment, incite panic, or create confusion around who is saying what. The implications for information integrity are profound, especially for media organisations, government agencies, and election bodies.

Emerging Defence Mechanisms

Cybersecurity professionals are actively developing and deploying deepfake detection technologies. These typically rely on machine learning models trained to identify artefacts introduced during the synthesis process, such as unnatural blinking, visual inconsistencies, or odd audio intonations. However, this is an arms race. As detection methods evolve, so do the techniques used by attackers to create more seamless fakes.

To counter deepfake threats, organisations are also adopting more robust verification methods, such as:

• Multifactor authentication (MFA) that does not rely on voice or image recognition alone
• Watermarking of legitimate media, which can verify authenticity
• Behavioural biometrics, which consider unique patterns in typing, movement, and interaction
• Zero-trust models where no entity is assumed trustworthy based on one factor alone

Moreover, security awareness training is evolving to include recognition of deepfakes, helping employees spot red flags, such as unusual requests, voice delays, or background inconsistencies in video.

In the legal and regulatory domain, countries are beginning to address the misuse of synthetic media. Some governments have passed laws targeting the malicious creation and distribution of deepfakes, particularly where these cause reputational or financial harm.

Deepfakes as a Defensive Tool

Interestingly, deepfake technology isn’t solely a threat, it can also be used constructively in cybersecurity. For example, security training platforms have begun using synthetic media to simulate spear-phishing or vishing (voice phishing) attacks in a controlled environment. This allows employees to experience realistic threats without exposing organisations to real-world harm.

Additionally, researchers and red teams can use synthetic media to test the resilience of security controls or authentication mechanisms, uncovering vulnerabilities before attackers do.

Recognising deepfakes

Deepfakes present a rapidly evolving threat within cybersecurity, one that leverages artificial intelligence to attack not systems, but the very notion of trust and identity. Their use in fraud, misinformation, and impersonation can have significant financial, operational, and reputational impacts on organisations.

The cybersecurity community must respond by combining technological countermeasures, regulatory oversight, and human vigilance. While detection tools are improving, the best defence is a layered one. Pairing deepfake awareness with secure communications protocols, behavioural analytics, and identity verification beyond the visual or auditory.

In an era where seeing (or hearing) is no longer believing, resilience depends on recognising that authenticity is not a given – it must be proven.

So how do you prove it? How should you and your employees validate you’re talking to a real person, firstly give yourself time to think and question;  very little is urgent to the second, and nearly always, giving yourself time to think enables people to apply their analytical brains, often this happens after an incident “I thought it was bad…” “yes, I can see that now…” the trick is to give yourself that time to think before the impact!

Five simple steps to identify deepfakes

Think about whether the actions the person is asking you to do is within the realm of expected from this individual, whether they comply with your organisation’s policies, regulatory requirements, legal requirements and ethics

Think about the person’s style, are there nuances that aren’t present, do they always say Hi, or Good Morning, or do they always sign off a call with a particular phrase or statement, do they shorten your or others names?

Look carefully for facial anomalies, lip syncing issues or odd phrasing or words

Ask an unexpected question, or state a phrase or statement, if you randomly say “why is your t-shirt green” when its clearly black, a person will correct you, a deep fake will just continue

Above all, remember that technology is advancing at pace, so even if 1-4 all check out, if you are even 1% unsure, verify by calling the person on a known contact method and finding out if it was actually them

The human brain is a powerful anomaly detection tool, in most of these incidents, people have chosen not to use it and suspended their disbelief, don’t make that choice.

For more information about Cyberfort Detect and Respond services please contact us at [email protected].