No business is immune to cyber attacks, says Arda Büyükkaya, Senior Cyber Security Threat Analyst at the threat intelligence platform EclecticIQ.
Cybersecurity is no longer a matter only for the world’s largest companies or government agencies. Every organisation is a potential target. Recent incidents across the UK and Europe show that attackers will strike retailers, manufacturers, cultural institutions, transport operators and service providers alike. They do not discriminate by size or industry. They exploit weaknesses wherever they exist, using techniques that are familiar but increasingly sophisticated.
M&S and others
Around Easter, Marks & Spencer experienced a serious breach attributed to the Scattered Spider group. The attack disrupted online orders, click-and-collect services and in-store payments, with losses expected to exceed £300 million in operating profit.
Jaguar Land Rover was forced to halt production after cyberattacks crippled its IT systems, triggering knock-on effects across its supply chain. Small and mid-sized suppliers scrambled in the wake of shutdowns.
The British Library suffered a ransomware incident that incapacitated many digital services for months, illustrating that cyber risk extends well beyond commercial enterprises into public and cultural institutions. Meanwhile, Royal Mail was hit by ransomware that disrupted international deliveries for weeks, causing financial damage and reputational fallout. Airline and travel sectors are also vulnerable: British Airways and easyJet have both disclosed data breaches affecting millions of customer records.
Most recently, several major European airports, including Heathrow, Berlin and Brussels, were forced to revert to manual check-in and baggage handling when a cyberattack targeted Collins Aerospace, a third-party provider of critical check-in and boarding systems. The attacker disrupted electronic systems that are shared across multiple airports, causing delays, cancellations, and widespread passenger frustration. This airport case is a stark reminder that even critical infrastructure is not immune. It highlights the fragility introduced by over-reliance on third-party systems and the systemic risk that arises when a shared vendor becomes a single point of failure.
Why all are exposed
Three core factors explain why no business can assume safety. First is interconnection and dependency. Modern operations depend heavily on external vendors, shared digital platforms, and supplier networks. Attackers know that compromising one link can cascade across entire systems. The airport incident underscores this the disruption was not limited to one airport but spread because of the shared vendor.
Second is human behaviour and social engineering. Many breaches begin with well-crafted phishing messages or phone calls designed to trick staff. Criminals exploit trust, urgency and authority. With advanced AI and voice cloning, even familiar voices can be mimicked convincingly, turning social engineering into a potent attack vector.
Third is advancing technology and lowered barriers to attack. Artificial intelligence has made it easier to produce convincing methods at scale. Phishing emails, cloned websites, deepfake voices all become tools in the hands of attackers. Traditional red flags like poor grammar are no longer reliable indicators of malicious intent.
How smaller businesses face different risks
While large enterprises often dominate headlines, smaller businesses face the same threats but are vulnerable in different ways. The assumption that size protects is deceptive. Cybercriminals increasingly apply advanced tactics to weaker targets, often to leverage access into larger networks.
One key vulnerability is supply chain proximity. Smaller suppliers frequently serve as trusted vendors for larger customers. An attack on them can act as a pivot into high-value partners. The airport incident is illustrative the failure of a vendor tool affected multiple airports simultaneously.
Resource constraints are another issue. Large firms may maintain dedicated cybersecurity teams, advanced monitoring tools and security operations centres. Smaller businesses typically lack such capacity. Often, they rely on general IT staff who may be stretched thin. This reduces early detection and response capability. Another vulnerability is the absence or immaturity of security policies. Without clear guidance, employees are left making choices under pressure such as clicking a phishing email that looks legitimate. That single misstep can kick off a chain reaction of compromise.
Building resilience across the board
Regardless of size, all organisations must adopt a resilience mindset. Strengthening authentication is foundational. Passwords and SMS codes alone are inadequate. Multi-factor authentication, physical security tokens and segmented access control help prevent a single compromised account from escalating. Supply chain security must be elevated. Contracts with vendors should enforce minimum cybersecurity requirements, incident reporting, and verification. Organisations should audit vendor security practices, not assume compliance.
Training is essential. Phishing simulations, awareness programmes and clear reporting channels help staff recognise threats before they escalate. Social engineering remains the most common breach vector. Incident response planning should be baked in. Organisations must know how to isolate systems, notify customers, cut off and restore operations. Regular backup testing ensures recovery is feasible.
Technology also has a role. Defenders can deploy AI and machine learning to monitor for anomalies, flag unusual login behaviour and block activity far faster than manual inspection allows. These tools do not replace human oversight, but they extend visibility and time to react.
From awareness to action
The spectrum of attacks on Marks & Spencer, Jaguar Land Rover, the British Library (pictured, St Pancras), Royal Mail and most recently the airports via a shared vendor demonstrates that cyber risk is universal. Corporations, cultural institutions, supply chains, and critical infrastructure all face threats from the same vectors, though vulnerabilities may differ.
The path forward demands transformation. Cybersecurity must be seen not as a cost centre but a strategic imperative. By investing in stronger defences, demanding accountability from suppliers, educating every employee, and preparing response plans, organisations can shift from being reactive to proactive.
No business is immune to cyberattacks. What separates success from failure is the degree of preparation. Organisations that take cybersecurity seriously are better positioned to withstand disruption, maintain operations and protect the trust of customers, partners and the wider public even in a world of increasingly aggressive, interconnected and unpredictable threats.
