Vertali’s Leanne Wilson reflects on a year of cyber attacks and what needs to happen now.
2025 was quite a year for cyber attacks. The UK in particular experienced a significant surge, with 43% of businesses reporting at least one incident and an astounding 91% of universities.
As we unfortunately know, “The ripple effects of taking down larger institutions can be huge and far reaching”.
These attacks highlighted, yet again, the vulnerabilities in both private businesses and public sector institutions that can lead to significant financial losses, operational disruption, and reputational damage.
Misplaced confidence claims that mainframes are automatically secure due to their robust architecture and history. The hard reality? Mainframe security requires active management and complex layers to handle critical data safely.
A painful way to learn
We’d like to think cyber attacks are few and far between, or that they’re quickly and easily remedied. Not so, as these examples highlight:
- The “devastating” attack on Jaguar Land Rover (JLR) in August 2025 halted production for weeks, with estimated weekly losses of GBP 50 million.
- Earlier in 2025, retail giant Marks & Spencer experienced a sophisticated ransomware attack that compromised customer data and caused serious business disruption. Losses are estimated at more than GBP 400 million, making this “one of the costliest [such attacks] in UK retail history,” and wiping out at least one-third of the company’s annual profits.
- After all that stress and uncertainty, perhaps a relaxing holiday would be in order? Unless you were trying to fly from one of the major European airports that were “thrown into chaos” in September after another attack. Frustrated passengers endured hours-long queues for check-in and boarding at Heathrow, Berlin, and Brussels.
- And we also know that cyber attacks can have a very long tail. The Electoral Commission, the UK elections watchdog, admitted in September 2025 that it had taken the organization three years to recover from a hack in which the details of 40 million voters were accessed by Chinese cyber spies.
The chief executive reported to The BBC, “The culture here has changed significantly,” adding that “it’s a very painful way to learn.”
I’m not suggesting that all these attacks involved mainframes. But in today’s interconnected, enterprise IT world, the mainframe isn’t special. It’s simply another server to be hacked.
Closing the reality gap in security
Many organizations simply don’t understand their systems in the ways they need to, not least their overall complexity. They have no real view of interconnectivity and what’s coming in and out of the network.
A gulf exists between perceptions of how secure and protected they are and the actual, provable reality of their security. We see this constantly.
A gulf exists between perceptions of how secure and protected [an organization is], and the actual, provable reality of its security.
I heard a story recently from a colleague who was chatting to a potential client in a financial institution about pen tests and security assessments. The CISO called in their mainframe director to ask when either task was last carried out. The answer? Never.
USS and them
There are many issues to consider. For example, as mainframes increasingly rely on UNIX System Services (USS) for modern workloads and integration with distributed systems, new security challenges have emerged.
USS provides a UNIX-like environment within z/OS, enabling greater flexibility, but also introducing potential vulnerabilities unfamiliar to traditional mainframe administrators.
A major concern is the shortage of skilled professionals who understand both traditional mainframe security principles (such as RACF and dataset permissions) and UNIX-based controls (like file permissions, user authorities, and network configurations). This skills gap can lead to misconfigurations, inconsistent security policies, and poor access control between the UNIX and mainframe environments.
Four ways to dial down the cyber attack heat
What can be done about all this? How can we turn down the heat and fire-proof our organizations? Here are four practical steps we can take to, we hope, avoid becoming the next Jaguar Land Rover or Marks & Spencer.
1. Conduct a security assessment
If you don’t know, you can’t manage – and you can’t take the steps necessary to secure your systems. So you need to take a look under the bonnet. For how long, and how detailed, is up to you.
Security assessments are a full check-up: a structured holistic review of your systems and controls that reveals gaps and offers remediation plans.
2. Try to break in with pen testing.
Pen tests are more focused. They are a real-world attack simulation that shows how far a bad actor can go by exploiting weaknesses like low-privileged user accounts.
Assessments show what’s in place. Pen tests show if they work.
In short, assessments show what’s in place, pen tests show if they work. Both can be hugely valuable, but they are also answering different questions.
You can download a useful infographic on the Vertali security assessment page, and also listen to this 20-minute podcast with me talking about security assessments versus pen tests.
3. Know your network
Another approach is network discovery and micro-segmentation: properly understanding the traffic flowing into and out of your network. While mainframe sites usually have a reasonable view of who’s using applications at the userid level, many don’t have an accurate up-to-date picture of network activity.
Understanding the network in real time means you can detect, monitor and, if necessary, enforce access and controls. You’re not only better protecting your systems, you’re also making it easier to comply with standards and regulations like PCI DSS.
You can find out more about Vertali’s approach in this two-minute video and at zTrust for Networks.
4. Use the Cyber Kill Chain
One final suggestion, for now, is using the Cyber Kill Chain to anticipate the threat and guide defence strategies. The kill chain stages define how attackers infiltrate and exploit. They include:
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and control
- Actions on Objectives
Each stage is distinct and actionable, enabling us to plan an appropriate response to mitigate the risks. For example, attackers use various methods to gather information while mainframes themselves have unique vulnerabilities that can be exploited.
Reconnaissance on the mainframe might include:
- Gathering intel on mainframe topology and users (“the lie of the land”).
- Targeting compromised credentials, via phishing perhaps, as well as malicious insiders, and looking for misconfigurations.
- Remote working/data outside the data center that increase exposure (nosing around for back doors and other unspotted vulnerabilities).
You apply the same type of thinking, looking afresh at the risks, to the other stages of the kill chain in terms of your defence, response and mitigation.
This can include auditing configurations and enforcing compliance, to using specialist tools to monitor systems continuously and detect anomalies fast, adopting AI-driven behavioural analysis, or deploying early warning systems to flag unusual encryption or dataset access.
If you’re a CISO, it may be worth asking your mainframe team when was the last time your organization carried out a pen test or security assessment.
You close the circuit by keeping a close eye on what’s happening in your systems and security. You also make continuous improvements via ongoing security audits and assessments, pen testing, network monitoring, and working towards Zero Trust principles without compromise.
If you’re a CISO, it may be worth asking your mainframe team when was the last time your organization carried out a pen test or security assessment.
0 Comments