The first half of 2025 saw a series of high-profile cyberattacks on some of the UK’s most recognisable retailers, including M&S, Co-op and Harrods.
These attacks demonstrated how easily modern enterprise environments can be compromised and infiltrated.
More than that, they’re an example of a much wider pattern. Across sectors, organisations are facing a new breed of threat actor: fast-moving, highly targeted and increasingly difficult to detect. Groups like Scattered Spider are leading this shift. Their methods are not reliant on sophisticated exploits, but on exploiting complexity, using social engineering, third-party access and overlooked digital entry points to infiltrate environments with speed and precision.
As the line between opportunistic cybercrime and nation-state-level tactics continues to blur, organisations are being forced to rethink how they assess and manage risk at scale. And that starts with cyber exposure.
The new face of cyber risk
So, what is cyber exposure? To put it simply, it’s the sum of all the ways an organisation’s digital environment can be accessed, exploited or disrupted, whether intentionally or unintentionally. And the recent retail attacks exposed how sprawling digital ecosystems – spanning online storefronts, in-store POS systems, mobile apps and backend inventory platforms – can be compromised through a single weak link.
It’s a sector where operational urgency is high and customer experience essential, so many retailers fast-track deployments or delay security updates, creating ideal conditions for attackers to exploit. These UK-focused attacks quickly went global, with major US retailers also finding themselves in the crosshairs.
The insurance sector is facing similar pressures. With vast stores of sensitive data, distributed infrastructures, and traditionally lower cyber maturity, insurers are being hit hard. Recent breaches at insurance companies such as Aflac and Erie were coordinated, strategic and designed to exploit both technical and human vulnerabilities. The sector’s reliance on legacy systems and fragmented visibility has widened the attack surface, making lateral movement easier and faster. Yet, this expands further to the aviation and transport sectors. Scattered Spider allegedly also hacked Qantas Airlines by targeting one of its call centres and gaining access to a third-party
customer service platform. As well as this, today’s airports operate as cyber-physical ecosystems, where everything from biometric scanners and baggage systems to HVAC units and gate signage is all connected. These integrations may improve efficiency, but they also increase exposure. A breach in one system can ripple across many others, especially when operational technology shares networks with public-facing systems.
What unites these attacks is not just the tactics used, but the conditions that allowed them to succeed: sprawling digital ecosystems, legacy infrastructure and a lack of contextual understanding around how systems, assets and users interact. Security teams are under pressure to defend environments that are constantly shifting, often without the tools or intelligence to anticipate where the next breach might come from. With attacks rising in frequency and sophistication, UK and global organisations are being tested like never before. Security teams are juggling sprawling digital estates, under-resourced teams and the growing threat of generative AI – all while trying to embed a culture of collaborative risk management.
In this climate, it’s no surprise that attackers often gain a foothold long before a signal is triggered, having already moved laterally, exfiltrated data or deployed ransomware. And the financial impact has become significant. UK organisations now face average ransomware payouts of £5.6 million per breach, with that figure rising to £14.2 million for those organisations within the transport and logistics sector. Reactive cybersecurity is proving costly in more ways than one. A change is clearly needed. And the first step is rethinking cyber exposure management.
The first step toward pre-emptive defence
Rethinking cyber exposure management means shifting focus from reacting to incidents to understanding where risk originates. The most significant vulnerabilities often stem from what organisations can’t see clearly – the assets they depend on, the systems they’ve connected and the relationships between them. When these aren’t fully understood, they become blind spots. And blind spots are where attackers live.
Cyber exposure management offers a strategic approach to identifying, assessing, prioritising and reducing cyber risk across an organisation’s entire digital footprint. It allows organisations to build a real-time understanding of every asset – whether managed or unmanaged, IT or OT, cloud-based or on-premises – and how those assets behave, interact and contribute to operational resilience.
However, it’s not just about cataloguing devices and overall contextual awareness; it’s about understanding what each asset does, how critical it is and what it’s connected to. For example, you could have a modern airport environment where a compromised Wi-Fi router inside a coffee shop can trigger a failure that grounds flights. Without understanding how these systems interact, what data they handle and how they impact operations, organisations are left exposed to potential incidents. Cyber exposure management helps make sense of the complexity. By
consolidating asset data and layering it with behavioural and operational context, it allows security teams to anticipate where threats are likely to emerge and take action before they escalate.
Increasingly, this is where AI can help. As attackers use machine learning to automate reconnaissance and adapt malware in real time, defenders must respond in kind. AI-driven exposure management can process vast volumes of asset and threat data, classify devices and surface the most urgent risks, often before they’re exploited. But with a deeper understanding, organisations can work across their wider ecosystem to anticipate where threats or vulnerabilities are likely to emerge and take steps to harden those areas in advance.
This approach doesn’t replace existing security tools either. Exposure management platforms are designed to integrate with and strengthen existing systems such as SOAR or CMDB to create a unified, automated defence ecosystem. By embedding exposure insights into existing workflows, organisations can move faster, prioritise smarter and respond with greater precision to stay ahead of evolving risks.
Rethinking resilience starts with exposure
The nature of cyber risk has changed – and so must the way we approach defence. Today’s bad actors don’t wait for a misstep; they exploit the unknowns. That’s why the ability to see, understand and act on exposure in real time before a vulnerability is exploited is quickly becoming the bare minimum.
Cyber exposure management gives organisations the clarity to move from reactive firefighting to proactive defence. More importantly, it allows teams to not just detect threats, but anticipate them. And in a landscape where complexity is the attacker’s greatest ally, that clarity becomes the most critical layer of protection.
Resilience doesn’t begin at the point of breach. It begins with knowing where you stand and where you’re vulnerable. That’s the first line of defence. And it’s where every security strategy should now start from.
About the Author
Alex Mosher is President at Armis. Armis, the cyber exposure management & security company, protects the entire attack surface and manages an organization’s cyber risk exposure in real time. In a rapidly evolving, perimeter-less world, Armis ensures that organizations continuously see, protect and manage all critical assets – from the ground to the cloud. Armis secures Fortune 100, 200 and 500 companies as well as national governments, state and local entities to help keep critical infrastructure, economies and society stay safe and secure 24/7.
