Cyber Resilience in 2025: Minimising Business Disruption Amid Rising Threats
CYFOR are a leading provider of specialised forensic services with dedicated divisions in digital/mobile forensics, eDiscovery, corporate forensic investigations and cyber security. We asked CYFOR to provide us with its top tips for robust cyber resilience strategies to reduce the likelihood and impact of cyber incidents given the recent spate of high-profile cyber-attacks affecting UK household names, including Marks & Spencer, Co-op and Harrods.
The Current Threat Landscape
The recent high-profile incidents are stark reminders that no organisation is immune, regardless of size or sector. For in-house legal teams, these events underscore the dual responsibility of protecting the business operationally and from a liability and regulatory perspective.
Ransomware continues to dominate headlines, with attacks becoming more frequent and sophisticated. Whilst threat actors aren’t deviating far from the core tactics we’ve been tracking, attacks now often combine multiple techniques to maximise leverage over victims. Their evolving methods reflect a growing maturity in execution.
Law firms and in-house legal teams are increasingly involved, not just in managing the fallout post-incident but also in pre-emptive risk planning. Boards and regulators now expect legal professionals to have a seat at the cyber resilience table. The Information Commissioner’s Office (ICO) has issued guidance on ransomware and data protection compliance which businesses should take account of and implement.
Six Key Strategies to Minimise Disruption from Cyber Attacks
1. Prioritise Cyber Hygiene, Patch Management, and Regular Security Testing
Many breaches still originate from unpatched systems or legacy applications. Patching – the process of keeping systems and software up to date, installing fixes for known security vulnerabilities – remains a critical line of defence. Legal teams should advocate for regular patch cycles, particularly for internet-facing services, third-party applications, and remote access systems like VPNs or RDP.
Regular security audits help identify technical gaps, misconfigurations, and policy drift, while penetration testing simulates real-world attacks to evaluate how well systems withstand compromise. These activities not only help reduce risk but also, by validating the effectiveness of controls, serve as evidence of due diligence should a breach occur.
Tip: Ask IT to provide a quarterly summary of high-risk vulnerabilities, recent pen test findings, and mitigation plans. These should feed into legal risk registers and board reports.
2. Implement Multi-Factor Authentication (MFA)
Compromised credentials remain a leading cause of unauthorised access, making MFA a vital layer in any robust defence strategy. The key is the word “layer” – no single measure is enough, critical protections measures should be used together.
From a legal and regulatory standpoint, MFA is now considered a baseline control, with its absence increasingly linked to hefty fines over negligence or non-compliance in the event of a breach.
3. Develop and Test Your Incident Response Plan
A well-documented and rehearsed incident response (IR) plan can be the difference between a minor disruption and a crisis. Legal input is crucial in defining communication protocols, data breach notification timelines, and the chain of command. It’s important that IR plans involve:
- Legal counsel at early stages
- External advisors (forensics, PR, insurers)
- Decision trees for reporting a personal data breach to the ICO, affected customers, or other regulators.
4. Understand Your Supply Chain Dependencies
In today’s world, understanding where your data resides, who has access to it, and how it flows between systems is critical for risk reduction. Especially when it comes to third-party suppliers.
Legal teams should review data processing agreements and ensure suppliers meet minimum security standards, including incident notification requirements and business continuity provisions.
Tip: Maintain an up-to-date asset and vendor register with documented risk ratings. Include specific clauses in data processing agreements with processors, processing data on your behalf for breach notification timeframes (e.g. within 24 hours of becoming aware of a breach), provision of information on the breach and assistance with the containment and mitigation of breaches.
5. Educate Employees and Create a Culture of Security Awareness
Technical controls are only as effective as the people behind them – human error remains one of the biggest vulnerabilities in any cyber defence strategy. Phishing attacks continue to be a primary attack vector, with threat actors deploying increasingly convincing and sophisticated tactics, fooling even experienced users.
Regular, targeted training is essential – not just a one-off exercise. Simulated phishing campaigns help test employee awareness, reinforce learning, and identify areas of risk before attackers do. Create clear incident reporting pathways to empower staff to act as a line of defence, rather than a point of vulnerability.
Tip: Include cyber incident reporting obligations in employment contracts and onboarding material to reinforce individual accountability from day one. Ensure that there is regular data protection training appropriate to the role of employees.
6. Implement a Detection and Response Capability (e.g. SOC or MDR Service)
Prevention is vital — but detection is just as important. Organisations must have a means to monitor for suspicious activity, contain threats, and respond swiftly to minimise operational disruption.
A Security Operations Centre (SOC), whether in-house or delivered via a Managed Detection and Response (MDR) provider, plays a central role. These services monitor network traffic, system logs, and endpoint activity 24/7, enabling early identification of attacks before they escalate.
Legal teams should be aware of how incidents are detected, escalated, and handled, and ensure these workflows integrate with legal and regulatory obligations.
Legal and Regulatory Considerations
The legal consequences of a cyber incident go far beyond potential regulatory fines. Reputational damage, contractual liability, and regulatory investigations are all potential outcomes as well as potential damages claims from affected individuals. The recent trend of collective legal action by individuals following major breaches highlights the need for proactive legal risk management. Consider and review your data insurance coverage.
Summary
Cyber resilience is not just an IT issue, it’s a business-wide priority that touches every department, especially legal. By taking a proactive stance and embedding cyber risk considerations into governance and crisis planning, legal teams can play a pivotal role in reducing the impact of future attacks and in data protection compliance.
Pannone Corporate comment
The ICO has guidance on reporting processes for businesses to put in place to meet their obligations to report a personal data breach to the ICO and to affected individuals, where required. When there is a personal data breach, you need to establish the likelihood of the risk to people’s rights and freedoms. If a risk is likely the ICO must be notified of the breach without undue delay but not later than 72 hours after becoming aware of it. If the breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those affected without undue delay.
Ensure that you keep records of any personal data breach including the facts relating to the breach, its effects, the remedial action taken and if a breach is not reported to the ICO, the reasons why. If we can be of any further assistance please do not hesitate to get in touch with the team at Pannone Corporate or if your organisation would benefit from an independent cyber risk review or a facilitated incident response workshop we can put you in touch with CYFOR Secure.
Writers
Toby Nethercot Will Poole
Cyber Sales Advisor Technical Director
If you would like to discuss anything in this article further, please contact:
Patricia Jones
When is close too close: the latest guidance from the intellectual property courts
Assessing the merits of claims for intellectual property infringement can be a nuanced exercise. Getting it wrong can result in costly and lengthy legal battles and an unwanted distraction for businesses.
ESG clauses in commercial contracts
Companies are increasingly coming under the microscope when it comes to addressing and implementing environmental, social and governance (ESG) standards.
The courts aren’t afraid to stop play
In our last IHL x Pannone edition we discussed the court’s new approach to ADR following the decision in James Churchill v Merthyr Tydfil County Borough and CPR changes to orders of ADR.
In the IHL seat
We are very pleased to introduce Duncan Vaughan, Head of Legal for Iceland Foods Limited as our second IHL x Pannone guest interview.
Credit image ITV
IHL conference 4 November 2025
We are already planning our next IHL conference which will take place on 4 November at Innside Hotel on First Street, Manchester.
Our Pannone x IHL is designed to bring you the latest news and legal developments relevant to in-house lawyers. If there are any areas you would like more information on or if you have any questions or feedback, please do not hesitate to let us know via our feedback form or get in touch with any member of our team.
Copyright in this publication is owned by Pannone Corporate LLP and all rights in such copyright are reserved. Pannone Corporate LLP is a limited liability partnership registered in England and Wales with number OC388393. Authorised and Regulated by the Solicitors Regulation Authority. A list of members is available for inspection at the registered office, 378-380 Deansgate, Manchester M3 4LY. We use the terms “partner” to refer to a member of the LLP.