As 2025 winds down, business leaders and executives will feel it has been a particularly expensive year as the cost of employment shot up, inflation of raw materials impacted supply chains and both oil and tariff shocks hit in the first half of the year.

But perhaps the biggest cost of all was one borne by companies hit by cyber attacks.

One damning government report suggests that close to half of British businesses (43 per cent) and three in ten charities (30 per cent) claimed to suffered a type of cyber security breach or attack in the past year. These include anything from a phishing attack to a full-blown digital shutdown costing hundreds of millions of pounds.

The list of those affected includes some of Britain’s biggest businesses.

Marks and Spencer. Adidas. Co-op Group. Heathrow airport. Harrods. And, of course Jaguar Land Rover (JLR). Each have suffered publicly confirmed cyber hacks. These attacks were not limited to companies either: the German parliament also suffered a breach and, in October, the UK government saw the Foreign Office hacked.

Organisations have to fight a moving target, one with seemingly limitless capabilities. This isn’t a foe a business and kill and move on from – cyber attacks come in all different ways, from all points of the earth and if one attempt doesn’t work, it just keeps coming.

Jason Soroko, a cybersecurity expert and host of the Root Causes podcast, put it bluntly: “For cyber attacks, 2025 was brutal. 2026 will be worse.”

What did the hacks cost?

Attackers aren’t just looking to break into digital vaults and extract cash. Data has become incredibly valuable, while damage to economic or manufacturing operations can provide an opportunity for someone else to pick up the slack in demand, meaning State-level involvement is part of the picture at times too.

The truth is for a business, lost sales are only part of the picture – there’s reputational damage to consider, possible reimbursement or lost opportunity costs, the loss of ongoing clients to rivals and, obviously, the amount spent to fix and then upgrade their own systems too.

Cybersecurity Ventures, a noted source of data and research in the cybersecurity sphere, says the entire “industry” was worth around $10.5 trillion this year alone (£7.8tn). In country terms, this would make it the third-biggest economy in the world after only the US and China.

For individual companies, the reliance is on their accountancy estimates being made public. M&S originally said the hit to their profits would be in the region of £300m, but ultimately in November gave a figure of just under half that, having recouped £100m in insurance payouts.

JLR were not so fortunate as they had not renewed their cyber insurance specifically, meaning they’d bear the brunt of a £200m estimated cost. Meanwhile, Co-op’s cyber attack saw more than 6 million customers’ data stolen, with the final tally expected to cost around £120m.

Elsewhere, the “cost” is more difficult to place a figure on, but is more wide-ranging and potentially damaging.

JLR’s shutdown was big enough, and prolonged enough, to contribute towards an economic downturn: car production failed to rebound in September and October across the industry and was one of the big factors in UK GDP contracting 0.1 per cent in the latter month.

The biggest issues and why firms are struggling

There are several good reasons why companies cannot keep cybercrime at bay.

Attacks can be multi-pronged in style or timing and have the advantage of being first: those in defence must rely on seeing what the attackers are doing and respond accordingly.

“Attackers now deploy AI at a speed defenders simply haven’t matched. It’s an asymmetry that widens by the month. Defenders have been slow to uptake stronger authentication, which is like failing to better locks on the doors. The attackers take advantage of this,” explained Mr Soroko, who works with online security firm Sectigo.

Cybersecurity Ventures, meanwhile, estimates that the “frequency of ransomware attacks on governments, businesses, consumers, and devices will continue to rise […] to hit once every two seconds by 2031.”

It’s a lot to stop – and that’s just the digital version.

What about when humans get involved? We know about people getting caught out by scams through texts, emails and more. Why would it be any different for ordinary people at work?

“We’re currently seeing youths socially-engineer their way into global businesses. After online research and exploiting other breaches to obtain information, a single phone call to a help desk can be enough to persuade them to reset passwords or MFA tokens,” explained Tim Rawlins, security director at the cyber firm NCC Group.

“This opens the door for criminals to move across systems and escalate their access until they have the same level of access as IT teams do.”

What comes next is critical.

Co-op notably opted to pull the plug, as it were, locking out those hacking them but also limiting their own initial powers of response as it was deemed that was the safest course of action.

open image in gallery

The government’s cyber report notes even the biggest firms don’t actually have a set course of action for if they are hit: 53 per cent of medium businesses and 75 per cent of large ones have “have an incident response plan”, it suggests.

“Following breaches, organisations can’t afford knee-jerk fixes,” Mr Rawlins adds. “Organisations must work with cyber experts to rebuild their systems safely; seeing how the hackers were able to infiltrate, what they accessed, and how a breach is impacting critical business systems.”

But this is a wide-ranging topic, a brand new area for many businesses to deal with and an area of high expertise needed. As such, many remain underprepared to deal with it.

Research from compliance company IO suggests a third of British and American companies don’t feel that governments are doing enough to support and protect them.

What are the next big risks?

The pace of technological change means firms are facing an awful lot of “the same, but different”. Hackers looking to exploit gaps in security, individuals unwittingly opening or accessing files and even external or third party contributors accidentally letting outsiders in have all been part of the equation this year.

Companies essentially have to defend against what they cannot see coming – plus there’s no telling when attackers themselves might decide a particular target is now the ideal one.

Moody’s, the global ratings firm, says cyber attacks on banks in particular “are rising and becoming more sophisticated”. If you thought being unable to order a click and collect from M&S for a couple of months was bad, try imagining not being able to make payments, withdraw cash or check your balance.

Happily they do note most banks have “robust defences”, though those financial institutions using technological infrastructure “developed decades ago” and simply building new apps and process on top of it do present an ongoing concern.

Simply put, it’s a race to a never-in-sight finish line to keep security systems updated. For some businesses next year, the question will at some stage inevitably turn to what the best method of containment is, rather than how to keep attackers out. Once the defences are breached, the answer to that question can be the difference worth many, many millions.