Phishing, staff impersonation, and malware led to major cyber-attacks in 2025, costing some companies over US$400 million in losses. Businesses must build cyber resilience into their everyday operations to stay secure.
Key takeaways
- Cyber-attacks rose by 50% in the UK in the past year.
- AI is reshaping the threat landscape.
- Companies must invest in training, technical defences, and crisis planning.
Shutterstock.com/amgun
On 14 October 2025, the head of the UK National Cyber Security Centre (NCSC) warned that CEOs who fail to consider cyber risk are “jeopardising their businesses’ future.” This arrives in the wake of recent data from the NCSC which reveals that cyber-attacks rose by 50% in the past year.
Phishing attacks and ransomware stand out among the top risks facing businesses, while the use of AI by cybercriminals – and employees – is intensifying the threat.
Cybersecurity is non-negotiable in 2025, as recent incidents highlight the scale and urgency of the threat. A cyber-attack on UK retailer Marks & Spencer (M&S) halted payments for 15 weeks, while a breach of Microsoft SharePoint disrupted over 400 organisations, including banks and government agencies.
The impact of cyber incidents on companies can be devastating – triggering financial loss, operational chaos, and reputational fallout.
Lexology PRO examines the cyber risk landscape in 2025, spotlighting trends, top threats, and security practices for companies to stay safe.
New threats emerge
In January 2025, the World Economic Forum’s Global Security Outlook 2025 report identified supply chain vulnerabilities, geopolitical tensions, and the rapid adoption of AI as among the top challenges shaping cybersecurity .
Today, these risks are playing out in real-time across key industries, from finance to healthcare.
The threat posed by AI stands out, as cybercriminals harness new technologies to launch sophisticated attacks.
“AI is undoubtedly exacerbating cyber risk, with malicious actors using it as a tool to increase the scope and efficiency of their attacks – just like employees in a business.Moreover, as businesses adopt agentic AI, this further increases cyber risk as the consequences of an attack are compounded – just picture the AI agent (or robot!) making a harmful decision based on corrupted data,” Jonathan McDonald, partner at Osborne Clarke, tells Lexology PRO.
In addition to external threats, the use of AI tools by employees is emerging as a new liability. A survey conducted by cybersecurity company Trend Mirco reveals that 96% of cybersecurity leaders are concerned about employees' use of third-party AI tools, as the use of such tool could expand companies’ organisational risk exposure.
Phishing remains the most common attack method for hackers to infiltrate companies. This is likely to remain the case as AI helps facilitate more sophisticated attacks. According to Microsoft’s 2025 Digital Defence Report, AI makes phishing attempts 4.5 times more effective.
The UK Cybersecurity Breaches Survey 2025 reveals the other top threats facing UK companies:
The consequences of cyber-attacks are widespread – ranging from operational disruption to lingering reputational harm. The attack against M&S, a mainstay of UK retail, damaged customer trust and drove shoppers to consider rival brands.
But the scale of potential financial loss caused by an attack underlines the real cost of cybersecurity lapses. The recent cyber-attack against Jaguar Land Rover in October 2025 is expected to cost the company hundreds of millions of pounds of losses, with some estimates suggesting up to £72 million (US$96 million) in lost revenue per day.
How are regulators tackling cyber risk?
Regulators worldwide are tightening existing controls or introducing new rules to safeguard companies and consumers against cyber threats.
The UK Cyber Security and Resilience Bill, expected to be introduced to Parliament in during the 2025-26 legislative session, seeks to modernise and strengthen the country’s cyber defences by expanding the scope of regulation to include cloud services and IT providers, and mandate incident reporting, among other obligations.
In the EU, the Network and Information Security Directive 2 (NIS2) took effect in October 2024, and requires EU companies to develop supply chain security policies and update their third-party contracts or face fines of up to €10 million (US$10.6 million) or 2% of global annual turnover.
Elsewhere, the central bank of Brazil revised its registration requirements for financial institutions in September 2025 following a rise in data breaches linked to instant payments. In Africa, Zambia introduced two new cybercrime laws in April 2025.
How to build cyber resilience
Cyber risk in 2025 is evolving fast. According to the UK NCSC, the use of AI by cyber criminals is expected to transform the threat level by 2027, meaning that companies must carefully monitor the evolving risks. Companies that treat cybersecurity as a core business function will be best positioned to weather the storm.
Businesses may consider the following best practices to safeguard against cybercrime.
Conduct a comprehensive cyber security risk assessment
Companies should carry out regular cyber security risk assessments to test their existing systems – through table-top exercises, for example – to identify any vulnerabilities that could expose sensitive information or systems. Failure to do so can have serious consequences, for example, in October 2025, UK outsourcing company Capita was fined £14 million (US$18 million) for failing to protect customer data lost in a 2023 breach.
Develop strong technical defences
In the UK, malware protection use by companies dropped from 83% in 2024, to 77% in 2025.
Strong technical defences, such as authentication and access controls, are essential safeguards against digital threats. Businesses should regularly update their devices, use firewalls, and implement multi-factor authentication, among other measures, to protect their operations.
Train staff on cybersecurity
The UK NCSC includes engagement and training in its list of top 10 cybersecurity practices, citing the benefits of cybersecurity awareness for early risk detection and building trust throughout the organisation.
Training should be delivered regularly to ensure employees understand how to identify and respond to hacking attempts. Companies may choose to mandate phishing simulations and cybersecurity awareness programmes given the prevalence of phishing attacks.
Build your cyber risk playbook
To prepare for a potential cyber-attack, companies should build comprehensive crisis management plans which consider all possible scenarios, including contingencies for all aspects of the business’s operations.
These should identify an incident response team and outline plans for post-incident obligations, such as reporting requirements as these may vary by jurisdiction. The UK’s upcoming Cyber Security and Resilience bill, for example, mandates post-incident reporting.
After an incident, companies should review and update their crisis management and response plans to address any gaps or deficiencies.