The warnings that rang in the New Year, from security and military leaders, were unusually direct. References to the “export of chaos” from Russia and the “whole-of-society” defence required describe a reality that businesses are already experiencing.
Cyber incidents are now among the most significant sources of operational disruption in the UK.
For most organisations, this is no longer a question of if, but when.
The National Cyber Security Centre’s review of 2025 makes this explicit. More than 40% of UK businesses experienced a cyber incident. Some, including Jaguar Land Rover, Marks & Spencer and the Co-op, saw prolonged disruption to production, retail operations, supply chains and customer services.
What’s changed is not just volume, but intent and impact.
Cyber-attacks are no longer primarily about stealing data, allowing organisations time to fix problems quietly. Increasingly, they are designed to:
- disrupt operations
- create visible failure
- force senior leadership decisions under extreme time pressure
And you don’t need to be a primary target to be affected. The CrowdStrike incident in July 2024, caused by a supplier update rather than a hostile attack, demonstrated how dependent organisations are on fragile digital ecosystems. Businesses across multiple sectors, including aviation and financial services, were quickly affected.
For leadership teams, this creates a new challenge.
Decisions often need to be made in the first hours, before the technical picture is clear, before systems are restored, and before certainty is available. Waiting for perfect information can be the highest-risk option.
Many leaders take confidence from having navigated COVID successfully. That confidence is understandable,and often misplaced.
COVID was a slow-burn crisis. Cyber crises are fast, adversarial and information-poor. Core systems – email, phones, laptops – may be unavailable. Normal ways of working disappear at the moment scrutiny intensifies.
A simple test for any board or executive team:
- What stops if systems are unavailable for 24–72 hours?
- Who has authority to decide whether to shut down, continue operating or communicate externally?
- Have those people practised making those decisions together under pressure?
If the answers are unclear, the organisation is exposed, regardless of how much it spends on cyber security.
In our next article, we’ll look at what actually happens inside organisations during a cyber crisis, and the leadership capabilities that matter most.
Crisis Capable 
Leave a comment