- The JLR cyberattack shows that cybersecurity risk can affect most businesses.
- Strengthen your business resilience with network segmentation, offline backups, and controlled user access.
- Cyber insurance is essential for SMEs, but you must understand your policy’s coverage.
- Create, test, and rehearse an incident response plan before an attack happens.
Many of us have become blasé about the stream of cybersecurity warnings directed at us by software vendors, security consultants and the media – yes, including Financial Accountant. But every so often an incident can break through and remind everyone of the catastrophic power of a successful cybersecurity breach.
September’s Jaguar Land Rover (JLR) breach was so disruptive that the Bank of England mentioned it as one reason that the UK’s economic growth was slower than expected in the third quarter of 2025.
And even though the company has been largely silent, we already have our first attempt at a post mortem report. The Statement on the Jaguar Land Rover Cyber Incident – October 2025 comes from the independent Cyber Monitoring Centre (CMC). And it contains lessons for anyone wanting to keep their own or their clients’ systems safe from intrusion.
The size and scope of the breach make it Britain’s biggest ever – as CMC puts it, “the most economically damaging cyber event to hit the UK”. It tops even the Marks & Spencer attack in April 2025. It forced Jaguar Land Rover to shut down not just its IT systems and network, but also its Merseyside and Solihull factories. CMC’s report estimates the damage may cost Jaguar Land Rover £1.9 billion.
Roughly 120,000 people are employed in supply chain operations by JLR, the largest automotive supply chain in the UK. That’s a lot of small businesses potentially affected by the attack and subsequent shutdown.
What actually happened at JLR?
The company continues to withhold details about the exact nature of the attack, saying only that restarting its systems has presented challenges, and that some data may have been compromised.
Solihull-based information technology and security consultant Paul Reynolds believes that JLR could have suffered a ransomware attempt or network compromise. It would likely have been facilitated by social engineering, where individuals are tricked into disclosing sensitive information. He suggests that the incident then spread into operational technology (OT), where factory systems talk directly to the network.
For Reynolds, JLR did the right thing by pulling the plug on its IT systems. However, recovery took weeks. That, he says, shows “how hard it is to untangle digital from physical once they’re intertwined”.
Lessons for small businesses
£1.9 billion sounds like a heavy loss, but with access to cash (£6bn, according to The Guardian), plus a £1.5 billion loan guarantee from the government, JLR has the resources to manage the crisis and is already in recovery.
Its supply chain will not be so lucky. The CMC expects the loss of profit to “cascade down through all tiers of suppliers”. Many have already had to take extreme measures to cope, including reducing pay, banking hours, and in some cases laying off staff.
Noel Bradford, head of technology at Aylesbury-based Equate Group, is also widely known to podcast listeners as The Small Business Cyber Security Guy. He says that for SME suppliers, “a six-week disruption to their primary customer can mean insolvency.”
He notes that these SMEs face a double vulnerability: cyber threats to their own security, and disruptions caused by attacks on customers. It’s a growing problem, with a study from the National Cybersecurity Centre estimating that one in two UK small businesses identified a cyberattack last year, and around one in four experienced a cybercrime.
For Reynolds, the big takeaway is that “cyber risk is business risk”. If an SME’s systems can halt orders, payments, or production, they need the same resilience planning as physical assets.
This was a common thread through Financial Accountant’s conversations with experts: cybersecurity is a business resilience issue, not just an IT problem. So, what practical steps can SMEs take to mitigate the risks?
1. Strengthen resilience
Production networks often include legacy technologies that are more vulnerable to attack. Networks should be kept updated and segmented into separate sub-networks. “Finance, production and admin should never share a blast radius,” says Reynolds.
Additionally, online backups can be encrypted by ransomware, while offline backups should be implemented and tested regularly. Bradford recommends tightly controlling privileged access, with admin credentials used only for administrative tasks, and least-privilege principles applied to all users and service accounts.
2. Re-evaluate cyber insurance
JLR had no cyber insurance, and will therefore bear the full financial impact of its attack. Bradford says that cyber insurance is essential for small businesses to manage catastrophic risk.
The first step is understanding what is covered, as policies vary dramatically. Some only cover breach notifications, while others also cover business interruption, ransom, legal fees and fines. Many omit nation-state attacks, war, or unpatched systems.
How much will insurance cost? Bradford notes that prices vary based on industry, security controls, and claims history. But he says cyber insurance for businesses with £1-5 million revenue typically ranges from £1,500 to £5,000 annually for £1 million coverage.
3. Test incident response plans
Having a documented response plan prevents panic and can reduce the impact of an attack.
Reynolds recommends mapping and monitoring supply chains, and listing the vendors, systems and people your business can’t function without. Then check whether they have the same commitment to security as you do. “Ask for evidence,” he says. “A weak link can take you down.”
He adds that SMEs should rehearse a basic incident-response plan. This requires working out “who calls who, what gets shut down, and how you keep clients informed”. Keep those plans and contact numbers somewhere they can be easily accessed in an emergency scenario.
Bradford recommends reviewing contracts with suppliers and service providers to ensure they specify security standards: “Many standard contracts shift all cyber risk to the customer. Negotiate security requirements and liability clauses appropriate to the risk level.”
Cyberattacks are no longer an ‘if’, but a ‘when’
If the JLR attack proves anything, says Reynolds, it’s that you don’t need to be a global manufacturer to feel the shockwaves of poor cyber hygiene: “You just need to be connected to one.”
For small businesses and accounting practices, the question is not whether your business will face a cyber threat, but whether you will be prepared when it arrives.
Boost your skills with IFA’s business and management courses. Learn more here.
