Q: Cyberattacks on companies like M&S, JLR and Collins Aerospace made headlines quickly. From your perspective, what stands out most about how these incidents were handled?

Dennis (Axians UK):
What stood out to me was how quickly these organisations acknowledged the problem. Not long ago, companies might have stayed quiet for weeks, but that’s no longer an option. Customers, regulators, suppliers – they all expect transparency. Even when details are still emerging, early communication helps build trust and avoids potentially harmful speculation.

The real challenge, though, is how you balance containment with communication. Cyberattacks are messy, and no one handles them perfectly. But we’re seeing more maturity in how companies coordinate with regulators, response teams, and the media. Being upfront without sparking unnecessary panic is where reputations are won or lost. Leaders must show they’re not hiding from the problem but tackling it head-on.

Q: Beyond immediate disruption, what impact do these kinds of attacks have on supply chains?

Dennis:
Supply chains are interesting, because we rely on them so much,  but have very limited control over their resilience posture. These incidents really highlight how interconnected risks have become. For a retailer like M&S, a breach doesn’t just dent customer trust – it can affect logistics systems, payment networks, and supplier relationships. A delay in deliveries or issues processing orders can ripple out quickly, with suppliers feeling the financial strain just as much as customers feel the inconvenience. When assessing risks, companies should look both up and down their supply chain to suppliers as well as clients – especially the latter are too often forgotten and cases like JLR show us the impact this has on their suppliers. If a cyber-attack on your company leads to a key supplier going out of business, you have a major problem.

For manufacturers like JLR or Collins Aerospace, the stakes are even higher. Their supply chains are global and complex, involving thousands of partners. A single breach can halt production lines, delay critical parts, or even create compliance risks. In sectors like aerospace and defence, even a small disruption can have serious national security implications.

What’s clear is that a cyberattack isn’t just an “internal” issue anymore – it affects the whole ecosystem. Businesses are only as resilient as their weakest digital partner. That’s why supply chain due diligence, ongoing monitoring, and joint incident response planning are becoming essentials, not options. We still see too many companies relying on contracts and SLAs – while useful in daily operations, they provide only very limited assurances when a crisis hits. Asking suppliers for evidence of their resilience programmes and how they assure their own supply chains is useful – but real confidence comes from working with them directly: joining crisis exercises, sitting in as a key-client advisor, and planning for key scenarios together. Too many companies worry that sharing contingency plans signals unreliability, when the opposite is true: openness builds trust and makes plans viable in practice.

Q: The financial cost of a cyberattack is often highlighted, but what about the less obvious costs?

Dennis:
The financial hit is real – ransom demands, recovery costs, regulatory fines, legal fees. We’ve seen companies like KNP or Travelex enter into administration because of a cyberattack, the latter only surviving after significant restructuring.

The risk to reputation is significantly harder to quantify. Share prices dip, customer confidence takes a hit, and partners start questioning your security. The exact effect this has on a business depends on many factors such as how central trust is to the business model, how captive your clients are, and how well you communicated in the crisis.

There’s also the human side. These events put enormous strain on people – IT teams working around the clock, customer service staff fielding tough questions, leaders under constant scrutiny. The pressure can hurt morale and even retention. We’ve seen cases where poor internal communication has led uncertainty which in turn cause key personnel to leave. That’s why resilience planning can’t just be about systems – it must include people, communication, and culture. When teams feel supported and prepared, they can respond far more effectively under pressure.

Q: What lessons should organisations, large and small, take from these recent attacks?

Dennis:
The first lesson is that cybersecurity isn’t just an IT issue – it’s a business resilience issue. Every board should be treating it as a core strategic risk, not a side project.

Second, assume breach. Prevention is vital, but so is recovery planning. This also helps identify issues that can be addressed before crisis hits, saving vital time and resources. Examples can range from complex questions such as what a minimum viable level of operations would look like, to practical issues like who will answer the increased amount of customer queries or who needs to be first in line for a ‘clean’ laptop.

Third, verify. Ensure that you have a robust testing programme in place. This should include both robust penetration testing programmes for external interfaces and key internal components like Active Directory and backup systems as well as exercises and tests of emergency processes and assets. You do not want to power on your emergency generator is in an actual emergency and find it produces merely a puff of smoke. Organisations that run drills and rehearse their responses come back faster and stronger.

Another key point is visibility. You can’t protect what you don’t know you have. Too many organisations are still caught out by hidden supply chain dependencies or unmonitored systems. Mapping and monitoring those assets is critical.

And finally, collaboration. No one can tackle this alone. Sharing intelligence and best practices – and learning from incidents like those at M&S, JLR, and Collins – helps strengthen the ecosystem as a whole. Wherever possible work with your supply chain on resilience plans, discuss minimum viable levels of operation, join each other’s exercises or conduct joint drills. There is no better way to have confidence in their arrangements than being a part of them. Too often organisations worry that discussing emergency plans with clients (thereby admitting an emergency is possible) may lead to them being seen as untrustworthy, when the opposite is true. Cybersecurity Awareness Month is a good reminder that resilience works best when it’s collective, not competitive.

Q: Finally, looking ahead, what gives you confidence that organisations are better prepared for the next wave of cyber threats?

Dennis:
Two things give me confidence: investment and awareness. Businesses are putting more resources into proactive monitoring, zero-trust approaches, and supply chain risk management. These are no longer “nice-to-haves” – they’re becoming standard practice.

Just as important is the cultural shift at the top. Cybersecurity is now a standing boardroom agenda item in most organisations. High-profile attacks are painful, but they’ve made it clear that the cost of inaction is simply too high.

That shift in mindset is critical. When resilience stops being “someone else’s problem” and becomes part of leadership discussions, procurement choices, and everyday behaviour, organisations move from being vulnerable to being resilient. That’s what makes me optimistic about the future.