The list of the most serious cyber attacks in 2025 reads like a business thriller – except that it affects real companies. The following examples show that cyber attacks are no longer an isolated IT issue, but a business risk. They affect sales, delivery capacity, market position and, in extreme cases, endanger the existence and reputation of a company.
In August, Jaguar Land Rover's production came to a standstill for almost six weeks. Large parts of the plants in the United Kingdom were affected. Production facilities had to be shut down, dealer networks isolated. The estimated damage: around two billion euros.
At the British retailer Marks & Spencer, attackers paralyzed the online shop. For six weeks, customers could not order as usual. Lost sales, additional costs for emergency measures, and reputational damage added up to almost 350 million euros.
In the USA and Canada, customers were sometimes faced with empty shelves – the wholesaler United National Foods was unable to deliver for several weeks in June because the ordering system had failed after a cyber attack. The result: damage of almost 400 million euros.
Cyber security typically appears on the cost side: it doesn't generate any products, no machines, and no direct revenue. At the same time, the cost of adequate security is almost always lower than the cost of a major security incident. This is because a serious attack can eat up an entire year's profits and result in contractual penalties and claims for damages. It can trigger regulatory sanctions. And crucially, a serious attack damages the trust of customers, partners, and investors.
For companies, this means that security must be an integral part of risk management and should be on the agenda of management and supervisory boards – regardless of industry or company size.
In addition to the business perspective, there are clear legal requirements. These include, for example, data protection requirements, sector- or country-specific IT security laws as well as requirements from occupational health and safety regulations if IT failures can impair the safety of people. In addition, the European Network and Information Security (NIS2) Directive establishes binding security obligations for an increasing number of companies. Companies must not only do "something" for security, but also establish a demonstrably appropriate level of protection and continuously review it.
In order to address cyber security systematically rather than selectively, many organizations are guided by established standards such as the NIST Cybersecurity Framework (CSF) and the ISO/IEC 27001 standard for information security management systems. The NIST CSF describes security along five core functions: Identify, Protect, Detect, Respond, Recover. These can be transferred very well to a practical security strategy.
1. Identification
The goal is transparency: what needs to be protected, from what, and with what priority? This includes the recording of IT and OT systems (operational technology), applications, data and business processes, along with the assessment of threats, vulnerabilities, and business impact. This then derives protection goals and safety requirements. Without this basis, any further action is reactive and random.
2. Protect
In this function, the measures that complicate attacks or minimize their effects are implemented. This encompasses network and segmentation strategies, the hardening of endpoints, servers, and cloud environments, as well as identity and access management with robust authentication and role-based access controls. Additionally, it includes encrypting sensitive data and providing training and awareness programs for employees.
3. Detect
Since no protection is absolute, the ability to detect attacks quickly is critical. Continuous security monitoring of systems, networks, and cloud workloads helps detect such attacks. Security platforms analyze log data and events. In addition, threat intelligence and behavioral analytics provide clues to attacks. They then trigger clear alerting and escalation mechanisms. The earlier an attack is detected, the lower the damage sustained. At T-Systems, for example, we operate security operations centers (SOCs) and offer managed detection and response services. This provides companies with round-the-clock monitoring of their critical systems, eliminating the need to establish highly specialized in-house teams. Suspicious activities are analyzed, evaluated, and – depending on the agreement – responded to directly with initial countermeasures. This puts an end to the "blind flight" in your own network.
4. Response
When a security incident occurs, the quality of the response determines the extent and duration of the impairment. This includes prepared incident response plans and playbooks, a well-rehearsed incident response team, and structured forensic analysis to understand cause, spread, and impact. And last but not the least, professional internal and external communication.
5. Recover
After an incident, systems and processes must be restored quickly and in a controlled manner. This only works with resilient backup and restore concepts as well as business continuity and disaster recovery plans. All of this must be practiced with so-called "fire drills" and systematic "lessons learned" in order to further increase resilience.
The adoption of generative AI (GenAI), copilots, and AI services is accelerating innovation while simultaneously expanding the attack surface. Many companies are wondering: how can we use AI productively without compromising intellectual property, sensitive data, or compliance? At T-Systems, we use AI in our own security technologies – for example in SOC and MDR services, in the correlation of events, behavioral analysis, and in the automated derivation of countermeasures – to detect attacks more quickly, evaluate them more precisely, and stop them more effectively. The aim is to provide AI in a controlled, auditable, and regulatory-compliant environment – as an enabler of more efficient processes, better decisions, and new digital business models.
Conversations with customers and insights from professional events clearly highlight the key areas of focus:
1. 24/7 cyber defense + managed detection and response
Many companies are realizing that the conventional perimeter security is no longer enough. They are specifically looking for services that continuously monitor and evaluate attacks and, ideally, automatically initiate the initial countermeasures. We position ourselves here with scalable SOC and MDR offerings that address both medium-sized and large organizations.
2. Secure and sovereign cloud and network architectures
Cloud use, location-independent working, and distributed locations require new approaches to network and access security. The focus is on architectures that are based on clear Zero Trust principles, enable secure access to applications, and at the same time meet regulatory requirements for data protection, data storage, and sovereignty.
3. Security for production and critical infrastructures
Especially in the industrial environment, there is growing pressure to better protect production plants and OT networks – not only against classic malware, but also against targeted manipulations that directly interfere with physical processes. To this end, T-Systems bundles IT and OT security know-how and thus addresses industries such as manufacturing, energy supply, transportation, and healthcare.
These focal points form the core of what is now considered "state of the art" cyber security: continuous monitoring, resilient architectures, and an integrated view of IT, OT, and business processes.
Regardless of the industry or the size of the company, some clear recommendations can be derived:
1. Start with a position assessment
Instead of immediately introducing individual products or tools, the first step should be a structured assessment: where do we stand along the NIST functions? Which systems, data, and processes are critical? What are the regulatory requirements?
2. Anchor security as a top priority
Cyber security is part of risk management and corporate management. Clear responsibilities, regular reporting to the management, and a coordinated approach with compliance, data protection, and specialist departments are crucial.
3. Switch from "we are safe" to "assume breach"
Attacks will take place – the question is how well prepared you are. Companies should assume that individual protective measures will be bypassed at some point and focus accordingly on rapid detection, structured response, and resilient recovery. Managed detection and response services are an essential component here.
4. Integrate security into digitalization and cloud projects
New applications, cloud migrations, or remote work concepts should have security architecture embedded from the outset. It is much more efficient to integrate security into the planning than to "build" it afterwards.
5. Establish continuous improvement
Security is not a project, but a process. Recurring assessments, penetration tests, awareness measures, and test exercises for incident response and recovery ensure that the security organization keeps pace with the threat situation and its own digitalization.
The major cyber attacks of 2025 show how quickly a technical incident can turn into an economic total loss. Those who still view cyber security primarily as a cost center underestimate the risk to revenue, reputation, and regulatory compliance.
Frameworks such as the NIST Cybersecurity Framework and ISO/IEC 27001 provide a clear structure for holistic security – from identification to protection and detection to response and recovery. This makes cyber security not only a mandatory program, but a central enabler for stable, trustworthy, and future-proof digitalization.
