cyber security - Lawrence Stephens

Preparing for Cyberattacks: What Jaguar Land Rover Can Teach Modern Businesses

Posted on: September 9th, 2025 by Natasha Cox

Director Dominic Holden explores how businesses can protect themselves and mitigate the risks of a cyberattack, following the recent incident at Jaguar Land Rover, in Computer Weekly.

Dominic’s article was published in Computer Weekly, 9 September 2025, and can be found here.

A cyber-attack at Jaguar Land Rover has halted production lines and caused wide-spread disruption. How can businesses protect themselves and mitigate the risks of an attack?

A single cyber incident can halt production lines, dent customer confidence and wipe millions off a company’s share price – as Jaguar Land Rover (JLR) discovered after it was forced to shut down operations last week.

This incident is a stark reminder that cyber attacks are no longer rare, nor confined to small or poorly protected businesses, and that even global brands with sophisticated IT systems can be brought to a standstill. For UK businesses, the question is no longer if a cyber attack will happen, but when.

There is, though, much a business can do to prepare for a cyber attack to both reduce the prospect of falling victim to an attack and to mitigate the loss they can cause.

Preparation: A non-negotiable first step

Effective cyber resilience begins long before an attack occurs, and preparation can be key in mitigating the financial, technical or reputational damage. As such, many boards are now beginning to treat cyber security as a strategic priority, not a technical afterthought.

Effective preparation can encompass several aspects, and this can differ from business to business.

Often, this includes the creation of a clear, rehearsed incident response plan that identifies who does what in the first 72 hours and beyond, from isolating systems to briefing the regulator. The most effective plans are rehearsed by running crisis exercises and simulations so that staff know their roles, and leadership can practise decision-making under pressure.

Backing up your systems and testing that these systems can be restored quickly if compromised is also critical, with the JLR incident showing just how much damage a full shutdown of operations can cause.

Staff can also be more effectively trained to spot phishing attempts, unusual device activity and other red flags which may indicate an attempted breach of a company’s systems. Staff should also be made aware of the importance of ensuring that they install the updates that are rolled out by their IT team.

Cyber insurance is also key. There are many specialist brokers that can assist in tailoring a policy to the risks faced by the company. The process of obtaining the insurance often highlights issues with the company’s existing security and should provide essential support in the event of an attack.

Without such planning and preparation, a business will become more vulnerable to an attack and struggle to respond effectively when the pressure begins to increase.

The first 72 hours

If, despite your preparations, you fall victim to an attack, the first 72 hours are critical. This is where your planning pays off.

Where personal data may be at risk, the Information Commissioner’s Office (ICO) will need to be informed within 72 hours, and you may also need to notify your customers and suppliers of the risk. A PR team with expertise in crisis communications can be an important ally to avoid lasting reputational damage to the business.

Engaging law enforcement at the earliest opportunity is also advised. Reporting the incident to the police and Action Fraud creates a record that can support recovery and wider investigations. Notifying your insurers as soon as possible so you get support from specialist “breach response” advisers, including lawyers and computer forensic specialists, can avoid a misstep during a chaotic and stressful time.

A computer forensics team can move quickly to quarantine the affected systems and help you recover operations quickly, while also preserving evidence. A breach response lawyer will ensure you comply with your regulatory obligations and assist you in formulating a strategy to minimise the claims from suppliers and customers that can often follow.

The ransom question

One of the hardest decisions for businesses that fall victim to a ransomware attack is whether to pay a ransom – where one is demanded. While the National Crime Agency strongly advises against this, as there is no guarantee of restoration and payment encourages further crime, many organisations faced with operational paralysis may consider it a last resort.

Such ransom payments are often demanded in cryptocurrency, and their payment can be covered by insurance, so it is important for businesses to check their policies to see whether this forms part of their cover. It may also be possible to recover the ransom even after it has been paid. Specialist lawyers in crypto recovery can advise whether this is a possibility.

Lessons from JLR

The lesson from the JLR incident is simple: cyber security is no longer just an IT problem – it is a boardroom issue.

Boards must demand robust planning, allocate resources and ensure rehearsals are carried out. Only then can a business minimise financial and reputational damage when an attack occurs.

Dominic Holden explores the Home Office consultation on ransomware payments, in Law360

Posted on: April 10th, 2025 by Natasha Cox

Director Dominic Holden examines the recent Home Office consultation on cyber attacks and banning ransom payments by public bodies and critical infrastructure operators, and discusses the potential impact of such reforms on SMEs, in Law360.

Dominic’s article was published in Law360, 9 April 2025.

On 14 January 2025, the Home Office opened a consultation on proposals to ban ransom payments by publicly owned bodies and operators of critical national infrastructure that have or may have suffered a ransomware attack[1]. The consultation runs until 8 April 2025, and the government seeks input from potential compliance stakeholders, industry, research, and the public.

The overall aim is to tackle the multi-billion-pound cybercrime industry, and the specific objective is potentially to make vital infrastructure like hospitals and the National Grid an unattractive prospect for hackers.

Yet, these proposals are not without their flaws.

The below article examines these plans, explores the development of the ransomware industry, and discusses how such reforms could impact UK businesses.

What is ransomware?

Ransomware is a type of malware that attempts to unlawfully encrypt files on a host computer system. Once infected, critical IT networks can become crippled and inoperable. The hacker then promises to provide the key to unlock the files in return for money, typically in cryptocurrency.

These attacks can be particularly harmful due to the associated financial losses, theft of potentially sensitive data and intellectual property, as well as significant business/service disruption and reputational damage.

Growing threats

One of the key triggers for this consultation exercise appears to have been the Synovis ransomware attack in June last year, which caused severe damage to the NHS with the postponement of over 10,000 outpatient appointments and around 1,700 elective procedures in London.[2]

Ransomware attacks are a growing threat. Over a period of twelve months which ended in August 2024, the UK’s National Cyber Security Centre’s (NCSC) became involved in managing 430 cyber incidents including 13 separate ransomware incidents which were “deemed to be nationally significant and posed serious harm to essential services or the wider economy”. According to the National Crime Agency, the number of UK victims appearing on ransomware data leak sites has also doubled since 2022[3].

As a result, ransomware is viewed by the National Crime Agency as one of the most serious organised cybercrime threats to the UK’s national security.

These attacks have now become highly profitable. In 2024, one study revealed that UK respondents paid an average of £870,000 with two organisations admitting to paying £10m-£20m in ransoms[4]. According to Sophos (which specialises in endpoint security), the median global ransomware payment made by victims over the past couple of years has also increased by 400% up from $400,000 to $2 million. Meanwhile the recovery costs to victims of a ransomware attack have also increased from $1.82 million to $2.73 million – a rise of around 50%[5].

Whether the ransom is paid or not, regulators and customers will very likely need to be notified of the attack under existing legislation, leading to the threat of an investigation, fines, claims and significant damage to an organisation’s reputation as their customers and suppliers learn of the attack.

The question of how to meet this threat faces governments across the globe.

Exploring the Home Office proposals

Banning ransomware payments

The idea of banning ransomware payment by certain organisations could be an effective deterrent to reduce ransomware attacks, with hackers looking elsewhere – hopefully overseas – for easier pickings that are permitted to pay out. The policy would follow the long-standing principle of the UK Government not to pay ransoms for its citizens taken hostage by terrorists.

However, a ban could be damaging to businesses. Paying a ransom can often be the fastest and most cost-effective way for an organisation to recover from these attacks.

The alternative to non-payment is trying to reset and restore an organisation’s system from backup (assuming regular backups exist) and a potentially catastrophic data loss. The business disruption that follows can be ruinous, both financially and reputationally.

According to Veeam’s 2024 Ransomware Trends Report, 96% of security professionals surveyed said that their backup repositories had been targeted, while a mere 15% were able to recover their data without paying a ransom[6].

That said, paying a ransom can be a risky business. The same report found that 27% of those organisations who had paid the ransom, were still unable to recover their data. In other words, while paying up might seem to offer a quick solution, there is no guarantee that it will resolve the problem.

‘Double dipping’ poses a further risk for victims. In such cases, a ransom is paid only for a further attack to follow a few days later. Or, even worse, an additional ransom is demanded to avoid the hacker publishing the compromised data or selling the information to the highest bidder.

This poses the question of whether the Government’s proposed limited ban goes far enough.

The focus on publicly owned bodies and operators of critical national infrastructure is a good start, given the obvious disruption that stems from the paralysis of these organisations. However, the policy risks hackers moving their attention away from these organisations, focusing their efforts on private companies who would still be permitted to pay a ransom. This could be particularly devastating for SMEs – which make up around 99.9% of the UK economy, but who lack the resources to mount an effective defence against, and response to, a ransomware attack[7].

A limited ban is not the only measure under consideration.

Reporting of all ransomware attacks

The mandatory reporting of all ransomware attacks by companies that meet a certain threshold is also proposed. This proposal is similar to that which has already been proposed in the Cyber Security and Resilience Bill, which is due to be put to Parliament this year.

The purpose of the reporting is to assist law enforcement agencies by giving them a better understanding of the scale and nature of attacks, in order to identify patterns and improve responses to such attacks, and stop them from spreading.

This would appear to be an obvious ‘win’. The more up-to-date information available, the better the future decision-making on how to combat the threat.

The question which then arises, however, is whether the Government will properly resource the authorities who will receive this data, to allow them to take effective steps to respond.

Decision to pay a ransom

Finally, the Home Office proposes that the decision to pay a ransom could be left to the authorities.

The idea of the authorities needing to approve (or not) the payment of ransoms, is likely to be unworkable. It assumes a level of dynamism and responsiveness from Government authorities that is unlikely to be achieved in practice. Taking this decision out of the hands of those who know the organisation and the data at risk best, would seem to be ill-advised.

It also remains to be seen how the Government proposes to enforce legislation against the payment of ransoms. Criminalising the victims of a ransomware attack for making a ransom payment would seem to be unduly punitive given that these organisations are the innocent parties in this situation.

The Government may consider substantial fines to be a more appropriate sanction in line with current legislation around data, such as the UK General Data Protection Regulation/Data Protection Act 2018.

Conclusion

It is clear that the time has come for decisive action to be taken in the battle against ransomware attacks, and the Home Office’s initial focus on critical infrastructure and the public sector is a welcome first step.

However, the consultation is light on detail as to the how the Government intends to enforce compliance, and around the resources that will be available to ensure the reporting of ransomware attacks informs an effective strategy to prevent these attacks from occurring and spreading.

If a limited ban on ransom payments is introduced, it is incumbent on the Government to ensure that support will be provided to soften the increased business interruption that will invariably follow in the private sector.

While these proposals rumble throughout Westminster, there are still steps businesses can take to improve their chances of avoiding an attack, or ensure they are able effectively to deal with one when it comes.

Training staff to identify potential ransomware and other cyber-attacks along with regular system checks, backups and patching, can be essential in mitigating against these threats. Cyber insurance can also provide valuable support and resources to deal with the consequences of an attack, along with a robust incident response plan which deals with how the business can operate in the face of a ransomware event.

For more information on our services relating to technology disputes, please see here

[1] https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime

[2] https://www.england.nhs.uk/london/synnovis-ransomware-cyber-attack/latest-media-statement-on-synnovis-cyber-attack/#:~:text=As%20a%20result%20of%20the,St%20Thomas’%20NHS%20Foundation%20Trust.

[3] https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime#:~:text=The%20NCSC%20managed%20430%20cyber,services%20or%20the%20wider%20economy.

[4] Over Half of Breached UK Firms Pay Ransom – Infosecurity Magazine

[5] https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf

[6] https://www.primesys.co.uk/wp-content/uploads/2024/10/Veeam-2024-ransomware-trends-report.pdf

[7] https://www.gov.uk/government/statistics/business-population-estimates-2023/business-population-estimates-for-the-uk-and-regions-2023-statistical-release