Cyber-attacks are increasing in number, not complexity

This year, several high-profile cyber-attacks targeted well-known brands such as M&S, Coop, JLR and Heathrow among others. Most of these incidents did not involve particularly advanced or novel techniques. In fact, the methods used by cyber criminals and gangs are well-known and have been seen before. As covered in previous cyber roundups this year, attackers often infiltrated businesses within the supply chain to gain access to other organisations.

The public sector is also susceptible to this. Multiple reports have documented breaches affecting local councils and other public bodies. Indeed, late last month, several London councils including the Royal Borough of Kensington & Chelsea (RBKC), Westminster City Council, and Hammersmith and Fulham Council reported that they had been affected by cyber-attacks targeting shared IT infrastructure. Initially treated as isolated cases, the councils now suspect that the incidents are connected. In response, other London councils, such as Hackney Council, have advised their employees to remain vigilant against potential phishing threats. 

This month, there were also reports of an attack on Barts Health NHS Trust. Attackers took advantage of a vulnerability in Oracle E-business Suite software, an issue that has since been resolved, which resulted in the theft of personal data belonging to both patients and staff, as well as information related to the accounting services provided to the trusts. Some of this stolen data was later published on the dark web. As a result, trusts and other public organisations are looking to the government for more support to ensure their suppliers have the necessary standards of cybersecurity.

A key takeaway from these incidents is the vital role of cyber security in wider organisational strategy to uphold good cyber-security practice. To aid this, the Cyber Governance Code of Practice outlines how company boards and directors can build resilience to a wide range of cyber risks across their organisations.

State-sponsored cyber threats also pose a significant risk to SMEs

Earlier this month, the UK imposed sanctions on two China-based tech companies, Sichuan Anxun Information Technology Co. Ltd and Integrity Technology Group Incorporated, for targeting government and private industry IT systems across the world, including the UK. They also allegedly provided technical assistance for others to carry out cyberattacks. This comes after we covered news of the sanctions against a Russian cybercrime group for hosting services that enable attacks just last month.

At the 2025 Financial Times Cyber Resilience Summit, which took place this month, experts highlighted that many businesses in the UK are not adequately prepared to prevent or defend against state-backed cyberattacks. As a result, it’s important to understand that state-backed cyber threats affect more than just government bodies; often, attackers seek to obtain confidential information, disrupt operations, or inflict economic damage. This makes financial and commercial organisations particularly appealing targets for such attacks.

In such cases, it’s important to remember that cyber security encompasses a whole ecosystem and therefore organisations and their clients, suppliers and business partners have a role to play in ensuring good cyber security. Tools such as Cyber Essentials can help with setting up a baseline in cyber security.

AI is playing a role in both the good and the bad

This year, we have extensively covered the potential impact of AI on cyber security, noting that it can be leveraged to both facilitate cyber-attacks and to enhance defence mechanisms. Positive developments include the emergence of AI-powered solutions that support threat detection and investigation. Conversely, there have been numerous reports highlighting how threat actors are employing AI to strengthen phishing campaigns. Some now perform fully automated attacks using AI agents and systems. This again emphasises how technology advancements are enabling a greater volume of attacks. However, questions remain regarding how effective these attacks are considering the tendency of these tools to make errors and hallucinate.

AI has received significant attention, with models rapidly advancing and improving over just the past year. As these technologies become more powerful, their creators, in this instance OpenAI, are cautioning about heightened cybersecurity risks and are seeking stronger controls and monitoring to address these concerns.

Similarly, the National Cyber Security Centre (NCSC) has released an explainer outlining the susceptibility of Large Language Models (LLMs) to prompt injection attacks, exploiting the vulnerability that many current large language models (LLMs) currently face in enforcing a security boundary between instructions and data inside a prompt.

It is essential for users, purchasers, and developers of AI models to recognise these risks and keep up to date with potential safeguard bypasses that could prevent such systems from producing harmful outputs or actions.

Cyber is getting regulatory attention around the world

With cyber dominating the news throughout 2025, nations around the world have proactively started introducing measures to manage these risks. Countries are adopting different strategies. For instance, in a controversial move, India is considering the mandatory deployment of a state-operated cybersecurity application on all mobile devices, while the European Union shared plans for an enhanced cyber incident reporting and information sharing platform.   

Cyber has also been on the agenda for the UK. Just last month, a ministerial letter for small businesses was published highlighting the risk of falling victim to cybercrime and urging smaller businesses and enterprises to look into putting protections in place.

Earlier this year, the UK government also launched a consultation on new legislation that would ban regulated-critical national infrastructure and the public sector from making ransomware payments to discourage cyber criminals targeting these organisations. The consultation has now concluded and the government plans to continue with proposed plans to develop new measures.

Cybersecurity support was also a key feature in the UK’s plan to increase investment and growth in UK Professional and Business Services (PBS) which is part of the wider Industrial Strategy. The plan recognises that PBS businesses capture and retain confidential business and client information and aims to help the sector identify cyber risks and adopt Cyber Essentials as a means of mitigation.

This year, the UK government also introduced a new Cyber Security and Resilience Bill which will help protect organisations from cyber threats. The bill was presented to Parliament, with further developments anticipated by spring next year.

Want to learn more about cyber security?

Visit the ICAEW cyber security resources.

Got an interesting cyber story for us? Email techfac@icaew.com