Business must prepare for even more disruptive cyberattacks

Corporate security is now increasingly national security. So what should private companies – the last line of defence for themselves and often the first line of national defence – be considering?

Ciaran Martin, on September 15, 2025

Australian Financial Review Cyber Summit 2025 keynote

The problem with luck is that eventually it runs out. For years, Australia largely managed to avoid the blockbuster corporate data breaches that had afflicted so many of its allies.

The “lucky country” seemed to be lucky in cyberspace too.

Then, in late 2022, what my colleague Alastair McGibbon – head of the Australian Cyber Security Centre when I led its British equivalent – called “Australia’s cyber reckoning” arrived, with huge breaches at Optus and Medibank.

That history is worth bearing in mind as a new and seriously concerning cyber trend sweeps across the UK, Western Europe and North America. The age of serious cyber disruption is upon us. We are now finding out that disruption can be far, far more painful than losing data.

Jaguar Land Rover, one of Britain’s leading carmakers, has spent much of September paying thousands of plant workers to stay at home because its main British factories can’t function. A few months earlier, shelves were empty and online purchases became impossible at iconic British retailer Marks & Spencer, costing the company more than an estimated $600 million.

Over the past two years, a US steelmaker, a Belgian brewer and a French electronics manufacturer have all had to at least partly halt production following a cyberattack. Other incidents have disrupted telecoms networks and local government services.

Although we call them both cyberattacks, disruptive incidents have a completely different impact compared to data breaches. To use the crude analogy of a human being’s personal security, a data breach is the equivalent of someone breaking into your house when you’re not there, copying sensitive records, and using that confidential information to harm you. A disruptive attack is more like being punched in the face and left with broken limbs.

We are seeing more of this kind of bone-snapping, business-disrupting attack. It is being pioneered by criminals looking for money – often, but not always hiding in the sanctuary of Russia (the four people arrested in connection the Marks & Spencer attack are all British; the case has yet to come to trial). We should be worried about the criminals. But we should be even more worried about what they’re showing hostile nations about what they can do to us.

Back in 2023, the US, Australian, British, Canadian and New Zealand governments published one of the most significant ever warnings about cyber threats. The confusing codename given to the operation, known as Volt Typhoon, should not obscure what it is: a direct threat from the Chinese military to inflict large scale cyberdamage on Western critical infrastructure and economic interests.

To understand what Volt Typhoon would look like in practice, think of how it felt when Australia faced port blockages in late 2023 when DP World took its systems offline to stop a cyberattack. Now add in a Marks &Spencer style disruption at one of the two supermarket chains that dominate Australian food retail. Now throw in a Jaguar Land Rover equivalent. And keep going: because the essence of Volt Typhoon is dozens or even hundreds of these types of disruptive attacks, all happening at the same time to stop out societies from functioning properly. It’s an insurance policy for China, in case tensions increase, most likely over Taiwan.

Corporate security is now increasingly national security. So what should private companies – the last line of defence for themselves and often the first line of national defence – be considering?

We need to start thinking about cybersecurity differently in three areas.

First, we need to recognise that disruptive cyberattacks and data breaches are completely different beasts, and plan accordingly. Australia, with its reputation for market concentration in many key sectors like telecoms, food retail, media and banking, could be acutely vulnerable to cyberdisruption of critical services.

Across the Western world, law and practice has too often elevated data security above resilience against disruption. The worst example of this comes from Ireland in 2021, which suffered a catastrophic, nationwide outage of the healthcare booking system. It turned out after the event that the cyberdefence of the system had been, by law, required to prioritise the security of patient data above the ability to provide healthcare.

The second is to look holistically at supply chains. Many of the disruptive attacks we’re seeing involve third-party suppliers as the way in. So their security matters too. Over the past few years we’ve rightly become obsessed with removing hostile suppliers from our networks. If it’s from China, for example, the reflex is to ban it. That’s often justified, but it’s rarely enough. There are countless examples of major incidents where the supplier is from a friendly country, but their security practices just aren’t up to scratch. That must change.

Finally, there’s the opportunity to be disruptive ourselves: disruptive for good. The narrative around the artificial intelligence revolution and cybersecurity can sound like a one-way street: only the baddies will be using it to get better. In fact, AI offers spectacular opportunities to improve the security of networks. Initiatives like Optus and Westpac’s “SafeCall” – helping customers to understand more easily when a communication is genuine – is just one of many examples of how we can use technology to turn the tables on the hackers.

It is imperative that we innovate for security, not just for the security of our organisations, but for our entire society too.

This opinion piece by CyberCX UK Chair Ciaran Martin originally appeared in the Australian Financial Review on September 15, 2025 under the title: Business must prepare for even more disruptive cyberattacks