Cyber security incidents have become a regular feature of the news cycle.
From attacks on major retailers to breaches affecting public bodies and critical infrastructure, organisations of all sizes are facing increasing threats from cyber criminals.
In Episode 4 of the Guardians of Data podcast Ibrahim Hasan spoke with Olu Odeniyi about cyber security through the lens of the recent cyberattacks on major UK retailers. They explored how businesses can build resilience and trust in the face of growing threats, the future of cyber security and practical tips for all of us to stay ahead of the hackers. The following is an abridged transcript of the podcast:
Cyber threats are becoming more sophisticated
Cyber criminals are constantly adapting their methods. While ransomware remains a major threat, organisations are also facing attacks involving artificial intelligence, supply chain vulnerabilities, compromised Internet of Things devices and even
state-sponsored actors.
One of the most significant developments is the increasing use of AI by criminals. Generative AI can create convincing phishing emails, impersonate trusted individuals and help less skilled attackers launch sophisticated campaigns. In the past, poorly written emails were often a warning sign of fraud. Today, AI can produce polished and convincing communications that are much harder to identify as malicious. At the same time, defenders are using AI to improve detection, automate routine tasks and strengthen security monitoring.
The growing risk of social engineering
Many recent cyber attacks have not relied on advanced technical exploits.
Instead, attackers have targeted people. Social engineering remains one of the most effective methods of gaining access to systems. Criminals impersonate trusted individuals, helpdesk staff or suppliers to persuade employees to reveal information, reset passwords or approve access requests.
The attack on Marks & Spencer reportedly involved attackers posing as IT support personnel to trick individuals into resetting credentials and disabling security controls. Once inside the network, attackers were able to move through systems and cause significant disruption.
This highlights an important point. Technology alone cannot prevent cyber attacks. Security depends on people, processes and technology working together.
Supply chain attacks are a growing concern
Modern organisations rely heavily on suppliers, contractors and service providers. While this brings efficiency and specialist expertise, it also creates additional cyber risk. Supply chain attacks occur when criminals compromise a third party in order to gain access to their target. Rather than attacking a large organisation directly, attackers often look for weaker points elsewhere in the supply chain.
The recent retail attacks demonstrate how interconnected organisations have become. Even businesses with mature security programmes can be affected if a trusted supplier is compromised. This means organisations must look beyond their own systems and assess the security of the wider ecosystem they depend upon.
Why resilience matters
One of the key themes from the discussion was resilience. No organisation can eliminate cyber risk completely. The question is not whether an attack will occur, but how well prepared an organisation is to respond.
The Co-op’s response to a recent attack illustrates this point. Having experienced previous incidents, the organisation had invested in preparation and incident response planning. This enabled it to detect suspicious activity quickly and take action to limit the damage.
Early detection is critical. The sooner an attack is identified, the sooner organisations can activate response plans and contain the threat. Cyber resilience means understanding risks, preparing for incidents and ensuring the business can continue operating when problems occur.
Multi-factor authentication is essential but not enough
Multi-factor authentication (MFA) remains one of the most effective security controls available. However, not all forms of MFA provide the same level of protection.
Many organisations rely on simple push notifications sent to mobile devices.
Attackers have learned how to exploit this through what is known as MFA fatigue.
In these attacks, criminals repeatedly trigger authentication requests in the hope that a user will eventually approve one by mistake.
Organisations should therefore consider stronger authentication methods, particularly for privileged accounts. Hardware security keys and passkeys offer significantly greater protection and are more resistant to phishing attacks.
Security controls should be based on risk, with the strongest protections applied to accounts that could cause the most damage if compromised.
Privileged accounts remain a prime target
Attackers often focus on obtaining privileged or administrator-level access.
Once criminals gain control of these accounts, they can access sensitive information, disable security tools and move freely through systems. This was highlighted in the discussion of recent retail breaches, where attackers reportedly sought to obtain elevated access after gaining an initial foothold.
Organisations should ensure privileged access is tightly controlled, regularly reviewed and granted only when necessary. The principle of least privilege remains one of the most effective ways of reducing risk.
Observability and monitoring are becoming critical
A recurring challenge in cyber security is that many organisations do not realise they have been compromised until weeks or even months after the initial breach. During that time, attackers can explore systems, steal information and establish persistence. Improved monitoring and observability can help organisation identify unusual behaviour more quickly. Understanding what normal activity looks like makes it easier to spot anomalies that could indicate an attack. The ability to detect threats early can significantly reduce the impact of an incident.
What can individuals do?
Cyber security is not solely an organisational responsibility. Individuals also play an important role in protecting their personal information. Some practical steps include:
* Using strong and unique passwords for every account.
* Using a password manager to store credentials securely.
* Enabling multi-factor authentication wherever possible.
* Using passkeys where supported.
* Avoiding the reuse of passwords across different services.
* Being cautious about the information shared online.
* Monitoring accounts following any reported data breach.
Criminals frequently combine information gathered from different sources to make scams appear more convincing. Limiting the amount of personal information available online can reduce this risk.
The recent wave of cyber-attacks offers several important lessons:
1. Treat cyber security as a board-level responsibility.
2. Strengthen supply chain security and vendor oversight.
3. Invest in incident response planning and regular testing.
4. Adopt stronger forms of multi-factor authentication.
5. Limit privileged access and apply the principle of least privilege.
6. Improve monitoring and threat detection capabilities.
7. Provide regular staff awareness training focused on social engineering.
8. Build resilience so the organisation can continue operating during an incident.
The cyber threat landscape is unlikely to become simpler. The combination of increasing digitalisation, AI-driven attacks, global interconnectivity and geopolitical tensions means organisations will continue to face growing challenges. At the same time, regulation and governance requirements are likely to increase as governments seek to improve cyber resilience across both the public and private sectors. The organisations that succeed will be those that treat cyber security as a business issue rather than simply an IT issue.
Listen to the full Episode 4 with Olu.
Previous episodes of the Guardians of Data podcast have featured Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data and Tahir Latif discussing how to build responsible and ethical AI systems.
