10 Lessons From 10 Years in Cyber Security: What IT and Security Leaders Need to Know

For the past 10 years, DigitalXRAID has been protecting customers through one of the most turbulent periods the cyber security industry has ever faced. In that time, we’ve witnessed ransomware evolve from isolated criminal campaigns to billion-pound global crises, supply chain compromises shake trust in critical vendors, and identity attacks redefine the perimeter.  

The past decade has also seen AI emerge as both a powerful defensive ally, and a dangerous new attack vector, while regulators raised the stakes with accountability that now reaches the boardroom. 

These seismic shifts have transformed how UK organisations must think about cyber resilience. Threats are faster, more coordinated and more disruptive than ever before. At the same time, the pressure on IT Directors, CISOs and compliance leaders has intensified, with legal expectations to protect not just systems, but reputation, revenue and regulatory standing. 

In this guide, we’ll be sharing the key lessons from a decade of disruption. We’ll look at what’s changed, what still works in practice, and what to prioritise next so you can raise your resilience without drowning in jargon. 

Key takeaways 

• Patch velocity and asset visibility will be huge factors in who gets hit hardest when the next zero-day lands. 
• Identity is the new perimeter, and social engineering remains the fastest route around your defences. 
• Your supply chain is part of your attack surface, so treat vendors like high-risk internal apps. 
• AI accelerates both attackers and defenders, which makes governance, telemetry and training critical. 
• Board accountability is here. NIS2, DORA and UK guidance put cyber risk squarely on executive agendas. 

A decade of disruption: why this guide matters to UK organisations 

The last ten years has completely reshaped cyber risk for UK businesses. Ransomware moved from isolated incidents to full industrial operations. Identity attacks bypassed controls that once felt unbreakable. Software supply chains and managed service providers turned into highways for adversaries. And most of all, AI arrived as a force multiplier for both sides. Regulators have followed these changes with obligations that lay at the feet of the boardroom for the first time. 

If you run IT, security or compliance, you must be able to translate this noise into simple outcomes, reduce the time between exposure and mitigation, improve the fidelity of your detection and response and tighten governance so you can evidence decisions to customers, insurers and regulators.  

There have been some major incidents that have shaped these changes in the cyber security industry over the last 10 years. By understanding these incidents and changes, you can better shield your business from future attack.  

10 major cyber incidents that shaped UK defences 

WannaCry 2017: wormable ransomware hits the NHS 

What happened
Wormable ransomware abused SMBv1 via EternalBlue, spreading rapidly across the world. UK hospitals diverted ambulances and cancelled appointments. A kill switch slowed the outbreak but not before significant impact. 

Business impact
The NHS estimated tens of millions of pounds in disruption and recovery. Globally the cost ran to billions. 

Why it matters
Patch management, SMB hardening and asset inventory are not hygiene tasks. They are the foundations of operational continuity. 

NotPetya 2017: a destructive wiper disguised as ransomware 

What happened
A supply chain compromise seeded destructive code that propagated using EternalBlue and credential theft. Encryption was irreversible which made it a wiper rather than true ransomware. 

Business impact
Global brands suffered nine figure losses and weeks of disruption. 

Why it matters
Flat networks and privileged identity reuse enable blast radius. Segmentation and least privilege reduce burn. 

SolarWinds 2020: stealth, trust abuse and supplier risk 

What happened
Malicious updates to a widely used monitoring platform granted covert access to thousands of customers. 

Business impact
Multi-year response programmes, rebuilds and regulatory scrutiny. Supplier assurance became a board topic. 

Why it matters
Your build pipelines and vendor updates are part of your security boundary. Assume breach in monitoring and verify with independent telemetry. 

Colonial Pipeline 2021: when IT hits operations 

What happened
Ransomware led to a precautionary shutdown of fuel operations in the United States after identity related weaknesses were exploited. 

Business impact
Fuel shortages and price spikes. Public scrutiny and political involvement. 

Why it matters
Identity resilience and business continuity are inseparable. An IT incident can become an operational incident quickly. 

Log4Shell 2021: a dependency breaks the Internet 

What happened
A trivial remote code execution bug in Log4j exposed a huge Java estate. Attackers weaponised it within hours. 

Business impact
Months of asset discovery, virtual patching, code updates and threat hunting. Exploitation persisted long after headlines faded. 

Why it matters
You need an accurate software bill of materials, continuous exposure management and detections for common exploit chains at network and endpoint layers. 

Lapsus$ and the social engineering wave 2022 

What happened
Young crews bypassed multi-factor authentication (MFA) with push fatigue, SIM swaps and helpdesk manipulation, targeting identity platforms and support processes. 

Business impact
Service outages, sensitive data exposure and brand damage across technology and consumer services. 

Why it matters
People and processes are part of your control surface. Harden helpdesk workflows, adopt phishing resistant MFA and restrict privileged tools. 

MOVEit 2023: one bug, 1,000 victims 

What happened
A file transfer product vulnerability enabled mass data exfiltration and extortion in the MOVEit attack. Many victims were affected through service providers. 

Business impact
Large scale notifications, legal costs and reputation risk. Third-party concentration became visible to boards. 

Why it matters
Treat suppliers like internal high risk apps. Require runtime telemetry, clear incident obligations and rapid patch windows in contracts. 

MGM and Caesars 2023: Scattered Spider’s identity first playbook 

What happened
Threat actors gained control through social engineering and identity platforms. Remote management tools were abused to spread and sustain access. 

Business impact
Days of outage, service degradation and costly recovery. Board focus on helpdesk identity proofing and privileged access controls. 

Why it matters
Identity systems are high value targets. Tiered administration and strong verification procedures reduce attacker success. 

UK Retail attack wave 2025: M&S, Harrods and Co-op 

What happened
Linked campaigns by the Scattered Spider Group disrupted operations and targeted customer data in large retailers. Common techniques and suppliers increased systemic risk. 

Business impact
Supply chains, SAP estates and identity workflows came under scrutiny. Modernisation plans accelerated. 

Why it matters
Sectors share technology and process patterns. Defend at the TTP level and share intelligence across peer groups. 

Threat group consolidation 2025: Scattered Lapsus$ Hunters 

What happened
Reports indicated collaboration between established groups, Scattered Spider, Shiny Hunters and Lapsus$, leading to faster victim turnover and more pressure through data theft and publicity. 

Business impact
Higher tempo, coordinated social engineering and extortion. High profile organisations continue to fall victim to attack, for example the Jaguar Land Rover breach. Public narrative becomes part of the incident. 

Why it matters
Assume adversaries share playbooks. Tune detections to common tactics, techniques and procedures (TTPs) and plan for communications pressure. 

10 lessons from 10 years in cyber security 

The good news for IT and security leaders is that there are mitigation techniques and solutions to protect your business from the evolving cyber threat landscape.  

1) Patch velocity beats exploit velocity 

Reduce mean time to remediate (MTTR) on external exposures and high value internal services. Maintain an authoritative asset inventory and tie it to automated patch verification. Where patching needs time, deploy virtual patching and strict network controls. 

What to do: 

• Track exploitability and business criticality, not just CVSS 
• Retire SMBv1 and legacy protocols and services 
• Integrate exposure data with change and risk registers 

2) Identity is the new perimeter and blast radius 

Phishing resistant MFA such as passkeys reduces replay and push fatigue. Helpdesk identity proofing stops social engineers from resetting your controls. Treat finance workflows as identity flows to tackle business email compromise. 

What to do: 

• Enforce number matching or passkeys for administrators and VIPs 
• Use just in time access and time bound elevation for privileged tasks 
• Require out of band verification for payments and system changes 

3) Supply chain is your attack surface 

Vendors and managed service providers sit inside your boundary. You need evidence they patch promptly, monitor effectively and will notify you early. For cloud services, understand shared responsibility and ensure visibility of your tenant. 

What to do: 

• Mandate SBOMs and vulnerability disclosure timelines 
• Capture runtime telemetry from critical vendors and SaaS platforms 
• Add breach notification and cooperation clauses with clear timeframes 

4) Assume exfiltration and extortion even without encryption 

Modern crews steal data and apply pressure through naming and shaming. Incident plans must cover legal advice, notification decision making, regulator liaison and customer communications. 

What to do: 

• Pre-draft statements and regulator templates 
• Maintain a data map and contact strategy for affected parties 
• Rehearse decision points with executives and legal counsel 

5) Resilience is king: design for continuity 

Backups, restoration and manual workarounds are operational capabilities. Test them as you would any critical system. Plan for dependencies such as identity providers and SaaS platforms. 

What to do: 

• Test recovery to time objectives, not just file restoration 
• Keep an offline copy of key runbooks and contact lists 
• Validate that critical services can operate in a degraded mode 

6) Detection and response must be breach assumed 

Patching alone does not evict intruders. You need high fidelity telemetry across endpoints, network, identity providers and SaaS. Threat hunting and forensic readiness shorten dwell time and reduce uncertainty. 

What to do: 

• Retain identity and SaaS logs for sufficient duration 
• Deploy detections for common lateral movement and token abuse 
• Run purple team exercises and feed findings into content and playbooks 

7) Validate trust chains in cloud identity 

Token signing, conditional access and admin tiering deserve design-level attention. Separate production and tenant administration. Limit break glass accounts and protect them with the strongest factors available. 

What to do: 

• Monitor token issuance, consent grants and anomalous refresh patterns 
• Use dedicated, non-internet joined admin workstations for high privilege tasks 
• Enforce least privilege for service principals and automation 

8) People and processes are the primary control surface 

Attackers go through the front door. They call your service desk, spoof executives and pressure staff. Controls that help people make good decisions are worth more than another tool that no one has time to tune. 

What to do: 

• Script and enforce high risk helpdesk procedures with supervisor checks 
• Run live-fire exercises for social engineering and payment fraud 
• Use password managers and remove shared credentials from workflows 

9) AI is an accelerant for attackers and defenders 

LLM powered phishing, deepfakes and zero-click routes raise the bar. On the defensive side, AI helps triage alerts, reduce false positives and detect unusual behaviour across users and devices. Governance decides whether AI is a strength or a liability. 

What to do: 

• Threat model AI assistants and restrict what data they can access 
• Add detections for prompt injection patterns and abnormal retrieval 
• Train finance and executive assistants on deepfake verification 

10) Regulation is raising the floor 

GDPR started the move to outcome based security. NIS2 expands scope and personal management duties. DORA codifies ICT risk and third party oversight for financial services. UK boards must be able to evidence governance, training and testing. 

What to do: 

• Map controls and evidence to NIS2 and sector obligations 
• Maintain board training records and minutes for cyber decisions 
• Align incident reporting clocks with legal counsel and regulators 

The shifting cyber security landscape 

Nation state attacks become a very real threat 

The last decade proved that nation state actors are not just a problem for defence contractors. The Ukraine war brought destructive cyber campaigns into the open, with attacks such as NotPetya, Industroyer2 and Viasat satellite disruption showing how digital weapons can cause physical and economic harm far beyond the battlefield.  

UK critical infrastructure providers had to rethink resilience, with NCSC warnings emphasising that energy, telecoms and transport networks are now particularly under threat. 

Election and public-sector targeting become routine 

Democratic institutions and public services have become regular targets for hostile states and criminal groups alike. From influence operations to direct compromise, the goal is often to erode public trust and disrupt essential services.  

The UK Electoral Commission breach underlined how long recovery can take when sensitive voter data is exposed, highlighting a resilience gap in civic infrastructure. For IT and compliance leaders in the public sector, this makes investment in continuity and transparent recovery as important as prevention. 

Cyber insurance market shifts 

Insurance once felt like a safety net against large cyber incidents. That changed as systemic events such as ransomware waves and supply chain exploits exposed the limits of traditional models.  

Premiums have hardened sharply in high risk sectors, exclusions for state-backed attacks have been written into Lloyd’s market policies, and calls for public backstops reflect recognition of systemic risk. For UK retailers, the M&S and Harrods incidents showed how insurance is no longer a guaranteed shield against loss. 

The net result is a shift in strategy. Boards now see insurance as one part of a layered resilience plan, not the centrepiece. That means greater focus on protection and mitigation: from improved patch velocity and identity resilience to tested recovery plans and contractual risk sharing with suppliers. 

Transformation of the Cyber Security Industry with AI 

Boards can no longer delegate cyber risk without oversight. The Uber case showed that mishandling breach disclosures can attract personal consequences. NIS2 makes corporate management responsible for cyber security oversight and requires early warning within 24 hours, structured updates at 72 hours and a final report within one month. DORA places ultimate responsibility for ICT risk on the management body and formalises incident reporting, testing and third-party risk management in finance. 

For you this means three things. First, make governance visible. Keep a living risk register and record decisions, rationale and evidence. Second, integrate legal, communications and regulatory liaison into incident response so timelines are met. Third, extend board visibility beyond internal controls to suppliers, cloud and managed services. Insurers and customers increasingly ask for the same evidence, so a single source of truth reduces effort and inconsistency. 

How AI has transformed cyber security for UK organisations 

AI has created a new attack surface. Prompt injection and scope violations can force AI assistants to exfiltrate data without user clicks. Mobile zero-click spyware also highlights the risks in ‘bring your own device’ estates.  

Criminals industrialised social engineering with AI generated phishing and realistic deepfake calls that bypass traditional verification.  

But at the same time, AI tools deployed in a Security Operations Centre (SOC) help analysts triage at scale, surface behavioural anomalies and trigger automated containment through SOAR. 

Data governance also changed. AI services can classify and label sensitive information across Microsoft 365, Azure and other platforms in near real time. The ICO has made clear that UK data protection law already applies to AI use. The EU AI Act introduces risk based obligations that will influence UK buyers and multinationals. Treat AI models as privileged applications. Decide what data they can read and write, log their actions and apply DLP and sensitivity labels to AI outputs. 

What UK organisations should do in the next 90 days 

1. Threat model your AI and SaaS 

Inventory where assistants and integrations can read and write. Disable unused connectors. Add detections for abnormal retrieval and prompt injection signatures. Review tenant settings for Teams, SharePoint and email automation. 

2. Strengthen identity and deepfake defences 

Move privileged users and finance workflows to passkeys or number matching MFA. Restrict helpdesk resets and require verified callbacks. Add an out of band step for high risk approvals and payments. 

3. Improve data governance and least privilege 

Roll out sensitivity labels and enforce DLP tied to labels. Remove broad access to customer and payroll data. Expire stale guest access and revoke unused app consents. 

4. Adopt an AI-secure development lifecycle 

Apply secure design, testing and monitoring to AI features as you would to any software component. Run AI red team exercises before production rollout and record results for governance. 

5. Policy & legal prep for the AI Act era   

Create an AI Use Policy, supplier questionnaire (model origin, training data, evals, safeguards), and a board level AI risk register aligned to EU AI Act or similar principles.  

Protecting customers for a decade and the next 

At DigitalXRAID, we’ve been protecting customers throughout these industry shifts for the last 10 years. We combine a 24×7 Managed SOC, Penetration Testing, Incident Response and compliance services including ISO 27001 and NIS2 readiness, and others, to give customers peace of mind that their business is safeguarded. 

Following the acquisition of DigitalXRAID by Limerston Capital in July 2025, we’re now part of a powerhouse group of UK-based cyber security, digital forensic investigation and e-Discovery specialists with more than a decade of experience and extensive certified expertise, protecting some of the world’s most recognisable brands, including retail, professional sports clubs, healthcare, finance, and universities.   

The UK’s most important critical national infrastructure, including governing bodies, local government, telecoms, energy, and nuclear power trust this group to protect their operations from cyber threats. 

You benefit from shared expertise, deep certification and a customer-first approach that keeps your organisation safe while you focus on your mission. 

If you would like practical help to apply the lessons in this guide, speak to the DigitalXRAID team. We’ll help you reduce exposure, improve detection and meet your obligations with confidence. 

FAQs for IT Directors and CISOs 

What are the biggest lessons from UK cyber attacks in the last decade? 

Know what you run, patch quickly, protect identity, and plan for exfiltration. Build resilience so you can continue operations while you investigate. Evidence your governance to customers, insurers and regulators. 

What does NIS2 mean for UK companies outside the EU? 

NIS2 applies in EU member states but influences UK buyers and multinational groups. UK policy is moving to strengthen NIS-style obligations. Expect greater focus on management accountability, supplier oversight and fast reporting. 

How has AI changed cyber threats and defences? 

AI makes phishing more convincing and enables zero-click routes. Defenders use AI to triage alerts, spot unusual behaviour and automate containment. The deciding factor is governance of models, data and access. 

What should go in a board cyber risk report in 2025? 

Top business risks and dependencies, exposure and patch metrics, identity and third-party posture, incident readiness and test results, progress against regulatory obligations and a view of residual risk. 

Do you still need cyber insurance if resilience improves? 

Yes. Insurance transfers residual financial risk, but underwriters now expect strong controls and clear evidence. Treat insurance as part of a layered strategy, not a replacement for protection.