DragonForce, Scattered Spider, and Octo Tempest — are we living in a James Bond movie? The current wave of cybercrime is never-ending and at times feels more like a tsunami. We have to invest in defenses that are stronger and better, or we risk being swamped.
In late April 2025, British retailers suffered serious cyberattacks. A leading UK-based retailer with more than 1,400 stores worldwide, Marks & Spencer suspended online sales and saw empty shelves in stores. Industry rumors suggested that a ransom may have been paid, with costs of at least £50 million ($67.8 million) incurred by mid-May alone. The Co-op supermarket chain also came under attack and experienced empty shelves, with reportedly a loss of data relating to 20 million customers. It was said the retailer “yanked their own plug” to avert an even worse attack. Luxury department store Harrods came under attack but apparently saw off the threat.
It was first thought that a “cybercrime service” known as DragonForce was responsible. BBC News reported that security experts said the tactics were “similar to that of a loosely coordinated group of hackers who have been called Scattered Spider or Octo Tempest.” In response, the CEO of the U.K.’s National Cyber Security Centre issued a statement that included the line, “These incidents should act as a wake-up call to all organizations.” But it’s not like we haven’t been warned, is it? The alarm keeps going off, but it seems the snooze button is never far away.
These attacks didn’t really come out of the blue, did they? In the sense that they might have been anticipated — and so prepared for.
Why Aren’t Organizations Heeding the Warnings?
Just two weeks before the alleged attacks on M&S, on April 10, 2025, the U.K. government released “The Cyber Security Breaches Survey 2025,” its study on cyber resilience that’s used to inform policy on cyber security. Key findings included:
- Cyber security remains a high priority for the majority of businesses.
- 43% of businesses and 30% of charities reported experiencing a cyber security breach or attack in the previous 12 months (equating to some 612,000 U.K. businesses and 61,000 U.K. charities).
- The prevalence of breaches and attacks in medium and large businesses remains high: 67% for medium, 74% for large.
- Larger organizations showed a higher prioritization of cyber security (92% of medium businesses and 96% of large businesses) compared to businesses overall (72%).
These findings are hardly surprising. And yet, if cybersecurity is really such a “high priority” then why are so many systems and so much data being compromised with alarming regularity? Perhaps there is a perception within the business that cybersecurity is taken seriously, yet this “priority” is not actually backed up by serious thought and focused investment?
On the other side of the world, meanwhile, 2024 proved to be a record year for data breaches in Australia, the majority experienced by health service providers and government. According to a report published in May 2025 by the Office of the Australian Information Commissioner, 1,113 breaches were recorded, a 25% increase on the previous year. The most recent Notifiable Data Breaches Report found that 69% of breaches were due to malicious or criminal attacks, and 29% were the result of human error (July to Dec 2024): the usual suspects, in other words.
And while the 2024 BMC Mainframe Survey Report found that ransomware remains a top concern, it also reported that confidence in ransomware controls was actually decreasing. What can we do to increase that confidence, to improve our defenses, thwart the ransomware attacks, and avoid data breaches?
Focus, Understand, Observe, and Invest
A main finding of the 2025 Arcati Mainframe Survey was that “a reputation for resilience requires security investments.” That’s the key. And it’s not only about reputation, it’s also about lived reality. More than half of respondents said they were concerned about mainframe security, with data breaches the top concern (72%), with encryption and multifactor authentication widely used. However, only 21% conducted cybersecurity monitoring — “highlighting an opportunity for security investments.”
Observability and real-time monitoring that feed into preemptive action or an extremely rapid response, powered by artificial intelligence and automaton, show the way forward. But such an approach requires investment in cybersecurity, and those investments need to be based on a strong understanding of your current security posture, the threat landscape, and the risks you face. (As an aside, you may be surprised to learn that fewer than 40% of organizations surveyed by Arcati were doing basic security housekeeping chores, such as ID cleanup.)
If this all sounds a bit doom and gloom, that’s because it is. However, as we continue to tell our clients, there are steps you can take and ways to protect yourself and raise your levels of cyber resilience.
The best way to avoid data breaches is by doing everything you can to make sure they can’t happen in the first place. This is the “prevent and withstand” element of cyber resiliency. If we better understand the risks, threats, and vulnerabilities that we face, then we have an opportunity to manage them and mitigate their effects on our systems, data, and supporting assets. Penetration testing by experienced cybersecurity experts, for example, is a tried-and-tested method to quickly identify threats and risks and to close gaps and harden your cybersecurity stance. It’s also recommended to regularly review and check security controls to understand our security posture —strengths, weaknesses, vulnerabilities — to focus on the risks and take action. We’ve created a handy infographic that outlines the differences and benefits of security assessments and pen tests. You can download a copy via this link.
Earlier this year, Vertali launched the Mainframe Shield awareness initiative. This aims to bring together the international mainframe cybersecurity community based on the notion that we need to do more, and that together we can go further, faster. There is still a misconception that the mainframe is inherently secure. It isn’t. Hence, the continued need for penetration testing to simulate real-life cyberattacks, more detailed cyber security assessments, and any number of additional frameworks, approaches, and tools to properly protect our systems, people, and data. Mainframe Shield is looking for organizations and individuals to join its independent advisory group. If you’re interested, you can complete the simple form on this page.
Securing the mainframe and doing everything you can to prevent data breaches can seem like an impossible mountain to climb, but it is achievable. And it has to be a continuous process to make sure we are staying one step ahead of the bad actors. As the old saying goes, “think like an engineer, act like a hacker.” And as highlighted earlier, proper cybersecurity comes at a price. It requires thought and investment. But the costs of not being secure can prove far higher. Just ask M&S.
Leanne Wilson is senior technical delivery manager/senior security consultant at Vertali. With more than 13 years’ experience in mainframes, systems engineering, and cybersecurity, Wilson leads Vertali’s mainframe technical delivery of security and infrastructure projects. She focuses on helping organizations around the world to secure, protect, and optimize their mainframe infrastructure and related applications. Wilson is also conference manager for GSUK.