Jaguar Land Rover’s Travails Highlight the Need for Cyber Resilience

Manufacturers have been the most popular target for global cyber-attacks over the past four years. The sector was also number one for ransomware in 2024, according to IBM data. So, when Jaguar Land Rover (JLR) reported that it had been struck by digital extortionists at the start of September, it didn’t come as a huge surprise. But it did provide a timely reminder about the potentially critical impact of such attacks on business continuity.

Security teams should use this as an opportunity, to make the case with the board for greater investment in cyber resilience.

The Fallout Continues

The UK has been rocked by a series of cyber-extortion attacks this year. They all seem to stem from a loose collective of English-speaking threat actors described as Scattered Spider, Shiny Hunters, and now Scattered Lapsus$ Hunters. First came the raid against retailers including M&S and the Co-op. Then came a supply chain campaign targeting Salesforce instances. And then a slew of related attacks on Salesforce customers which targeted their Salesloft Drift integration. The group is now reportedly bragging on its Telegram channel about hacking JLR.

How exactly it did this is currently unconfirmed, although some reports cite exploitation of an SAP NetWeaver vulnerability. A critical bug in the software was patched by SAP in April, and known to have been used by ransomware groups, with exploit code publicly available. Tactics, techniques and procedures (TTPs) aside, however, we do know exactly what the stakes are for JLR.

From day one, the company admitted that its “retail and production activities have been severely disrupted.” A week later, JLR revealed: “some data has been affected, and we are informing the relevant regulators.” With staff at the firm’s facilities in Solihull, Halewood, Wolverhampton and outside the UK still not able to work it’s estimated that the fallout could be costing JLR as much as £5m per day in lost profits.

That’s not to mention the impact on an extended supply chain that relies on JLR for its livelihood. Unions have called for government support after reports that some suppliers are facing bankruptcy. To add to their dismay, September is one of the busiest months of the year for carmakers and their partners, as it coincides with the release of new numberplates. JLR has delayed reopening its facilities several times. At the time of writing, the latest production pause would extend the outage until October 1.

What Resilience Means

All of which should highlight some important lessons about the need for organisations to focus on improving their cyber resilience. What is resilience? According to NIST, it’s the ability to “anticipate, withstand, recover from, and adapt to” cyber-attacks. That means putting best practices in place to ensure threat actors have fewer opportunities to access critical networks and resources. But also, so that the organisation is able to recover quickly, and continue to operate as normal, even if it does suffer a breach.

ThingsRecon CISO Tim Grieveson argues that to achieve this, security leaders must first understand their organisation’s key business functions and related systems. This will allow them to prioritise investments based on business impact.

“Instead of talking about technical jargon like ‘vulnerability scores’ CISOs should translate cyber risk into financial terms that resonate with the board and senior leadership. This could mean presenting the potential cost of downtime, data loss, or regulatory fines,” Grieveson tells ISMS.online.

“A CISO’s strategy must also be based on the assumption that a breach is not a matter of ‘if’ but ‘when’. This shifts the focus from building an impenetrable wall to building a system that can absorb, withstand and quickly recover from an attack.”

CISOs must also understand the importance of continuous employee training and education, to build a security-aware culture. “This turns every employee into a part of security defence and teaches them to recognise and report potential threats like phishing attempts,” he says.

However, even with the best training, breaches do occur. This is where testing against pre-determined scenarios comes in, according to William Wright, CEO of Closed Door Security.

“What is the worst-case situation? If this situation arises, can the organisation recover from it? If not, what gaps exist and how can they be mitigated? This assessment should cover all internal and external assets. For instance, how can breaches on suppliers impact my operations? Not all attacks are direct,” he tells ISMS.online.

“In these environments, where feasible, all attack scenarios will have a ready-made and rehearsed playbook for mitigation, while there will always be backups in place to limit the operational impact of attacks.”

Zero Trust can also be a useful way of thinking about building resilience, adds Grieveson.

“A Zero Trust approach assumes that the network is already compromised and requires every user, device and application to be verified before granting access,” he explains. “This is particularly relevant for manufacturers who often rely on a mix of old operational technology systems and newer IT.”

Standards Can Help

Grieveson adds that best practice standards like ISO 27001 and SOC2 can also help build resilience by putting in place a structured framework for managing information security.

“They offer tangible expectations on what good looks like that goes beyond just preventing attacks,” he concludes.

“Instead of thinking of security as a reactive, tick box exercise, it encourages businesses to take a proactive, business-oriented approach with the governance, processes, and controls necessary to prevent attacks. And to ensure the business can survive and quickly recover when an inevitable breach occurs.”