The Year of the 'Cyberattack'

Looking back on what is now 11 years within ‘PSNI Cyber’, 2025 stands out perhaps more than any other, as the year in which cybercrime became household news (and we are yet to reach Q4).

From Belfast to Bristol and the office to the kitchen, in May alone the public discussed local and national headlines covering ransomware attacks against bodies such as the Co-op, West Lothian Council Educational Network and of course M&S.

The attack against M&S resulted in an impact I am sure many readers experienced first-hand, be that issues with payments, online ordering or receiving emails notifying of potential data loss.

Underreported across the UK and Ireland, ransomware attacks continue to impact organisations across all sectors in Northern Ireland and, as recent experience shows, they have the potential to target a law firm whether they operate as a sole practice or large partnership.

While incidents such as that experienced by M&S have the potential to impact operations to the extent it becomes public news, in general terms incidents reported to the Cyber Crime Centre over recent year have started to involve manageable operational impact. This is in some way explained by organisations’ increased understanding of the threat, along with the development of robust backups and recovery plans, as well as engagement with parties such as NCSC Assured Providers. But increasingly, the challenge faced by local organisations is dealing with a reported or confirmed loss of data.

Those with a role in data security or involved in data breach incidents will be aware of the CIA triad of ‘Confidentiality, Integrity and Availability’. Based on encryption, ransomware by its very nature has always targeted the ‘Availability’ strand of the CIA triad and for those without the necessary backups and recovery plans, this remains a significant risk. Just as organisations have developed a better understanding of how to prevent, detect or recover from a ransomware incident, so too have threat actors developed a better understanding of the pressure points likely to increase the chances of receiving a payment, moving their focus towards data exfiltration and the threat to publicise or auction data via online data leak sites.

As shown in the following message received by a local victim, threat actors have also taken steps to make direct contact with organisations in an effort to apply pressure:

'I represent a group of hackers. My message is a question for your company. Are you planning to contact the hackers or you don’t care if your files are published by the hackers? They just want to know your final decision. If you don’t care there’s no need to react your files will be published soon… Your company could be involved in some legal issues and even court cases because of the leak of information, you should understand that… You still have an opportunity to resolve that issue as soon as possible and peacefully.'

In less than 50 seconds, the polite intermediary in this and similar calls raised a number of key points such as, ‘you don’t care if your files are published’, ‘legal issues’ and ‘leak of information’, reflecting the fact threat actors understand the regulatory and reputational risks ‘data loss’ can pose to an otherwise functioning organisation.

Those familiar with UK GDPR legislation will be aware of the need to ensure personal data is protected against ‘unauthorised or unlawful processing’ or to come back to the CIA triad, that its ‘Confidentiality and Integrity’ is maintained (Art 5(1)(f) UK GDPR) with appropriate measures (Art 32 UK GDPR).

In considering ‘appropriate measures’, PSNI Cyber Protect and partners such as the NICSC (Northern Ireland Cyber Security Centre) continue to support the adoption of Cyber Essentials Plus as a way of both baselining an organisation’s current level of cybersecurity and demonstrating to third parties that a tangible step has been taken to minimise the risk posed by common Cyberattacks.

Focused on prevention, measures such as Cyber Essentials need to be complimented by steps taken to ensure the ‘Integrity and confidentially’ of relevant data is maintained and that organisations are resilient in the event of an incident.

To help organisations assess their cyber resilience, the National Cyber Security Centre (ncsc.gov.uk) offers the Cyber Assessment Framework (CAF). Designed to be ‘outcome focused’, ‘compatible with the use of appropriate existing cyber security guidance and standards’ and as ‘straightforward and cost-effective to apply as possible’, the CAF provides a framework to those looking to carry out cyber resilience assessments on objectives such as ‘Managing Security Risk’ and ‘Minimising the impact of cyber security events’, providing ‘Indicators of Good Practice’ (IGPs) on key topics such as ‘Supply Chains’ and ‘Stored Data’.

For those organisations without an internal Cyber/Information Security team, the CAF offers areas to explore with contracted third party Managed Security Service Providers and a recognised pathway towards improving overall cyber resilience as you seek to achieve IGPs across relevant topics.

For information on Cyber Protect services please visit psni.police.uk/cyber-protect

Samuel Kinkaid, Regional Cyber Protect Officer PSNI