Known Systems. Hidden Risks. | Episode 4 - Cyber Frameworks: The Rules That Already Apply to Your Network

By Luke, Co-Founder and Technology Leader, CMC Consultancy Partnership

Introduction

Most organisations in the security and entertainment sectors have heard the word "framework." Few have applied one.

This is not a compliance problem. It is a knowledge gap -and an increasingly expensive one.

In April 2025, Marks & Spencer lost an estimated £300 million in profit following a ransomware attack that shut down online shopping for nearly seven weeks. Four months later, Jaguar Land Rover -the UK's largest car manufacturer -suffered what has since been described as the most economically damaging cyberattack in British history. Production at its Halewood and Solihull plants were halted. Global IT systems were taken offline. The estimated cost to the UK economy: £1.9 billion.

Neither attack exploited an obscure vulnerability in specialist software. Neither required sophisticated technical capability. Both exploited the gap between what organisations assumed was secure and what was actually controlled.

Cyber frameworks exist precisely to close that gap. They do not prevent every attack. They create the structure that makes organisations harder to compromise, faster to detect, and capable of recovering. They are not bureaucratic exercises. They are the closest thing the industry has to an agreed standard for what good looks like.

The question is not whether these frameworks are relevant to your sector. They are. The question is whether the systems you design, install, and operate can demonstrate that relevance -and what happens when they cannot.

What Happened at M&S -And Why It Matters Beyond Retail

The Marks & Spencer breach began not with a technical exploit, but with a phone call.

Attackers impersonated an M&S employee and contacted a third-party service desk provider. The vendor, unaware of the deception, reset the account credentials on request. That single procedural failure gave the attackers their entry point.

From there, they moved laterally across connected systems, escalating privileges until they had the access they needed. In April 2025, DragonForce ransomware was deployed across M&S's VMware ESXi servers, encrypting the virtual machines that powered e-commerce, payment processing, and logistics. Online shopping was suspended. Contactless payments went down. Food halls ran short. Staff were unable to clock in and out. Suppliers reverted to pen and paper.

M&S's market valuation dropped by nearly £700 million in the aftermath.

The lesson for every sector is the same one that M&S learned publicly: technical security controls only protect the boundaries they cover. When those boundaries include third parties, supply chain partners, and shared systems -as they do in almost every integrated security or AV deployment -the perimeter is only as strong as its weakest procedural link.

Against any recognised cyber framework, what M&S experienced is not an edge case. It is a foreseeable failure mode. Frameworks explicitly address access management, third-party risk, identity verification, and lateral movement containment. The controls exist. The question is whether they were implemented.

What Happened at JLR - And Why Manufacturing Is Not a Special Case

In August 2025, Jaguar Land Rover detected unusual activity across its systems and shut down production at its UK plants.

By 2nd September the company confirmed that IT systems were offline globally. The Halewood and Solihull facilities fell silent. Dealers could not register or deliver vehicles. The attack coincided with the UK's New Plate Day -one of the most commercially critical dates in the automotive calendar -compounding financial losses significantly.

The economic damage, estimated at £1.9 billion by the Cyber Monitoring Centre, did not arise primarily from data theft. It arose from operational disruption. Production stopped. Supply chains stalled. Revenue ceased.

JLR is a highly sophisticated organisation. It employs over 30,000 people and manufactures 300,000 vehicles annually. It has IT departments, security teams, and the resources to invest in protection. None of that prevented the attack.

The Cyber Monitoring Centre's assessment was direct in its conclusion: operational disruption now represents the highest-impact category of cyber risk for most businesses. Data breaches get the headlines. System shutdowns cause the damage.

For organisations in the security and entertainment sectors, this framing is important. The systems being deployed -access control platforms, networked surveillance, integrated AV, building management -are operational infrastructure. When they are compromised, it is not data that is at immediate risk. It is function. And in a live event, a retail environment, a critical facility, or a high-security building, loss of function has immediate, visible, and costly consequences.

Why the Security Industry Is Exposed

Physical security systems -access control, video surveillance, intruder detection, biometric readers -have traditionally been assessed on operational performance. Does the camera see what it needs to? Does the door open when it should?

Cybersecurity has been secondary. In many cases, it has been absent.

This is changing – but at different paces within sector and industry.

Modern security systems are networked. They run on IP infrastructure. They communicate over protocols that were designed for interoperability, not isolation. They are managed remotely, updated over the internet, and increasingly integrated with building management and IT systems.

That is no longer a physical security product. That is an IT asset with physical consequences.

The vulnerabilities are consistent across deployments:

• Default credentials left unchanged after installation

• Flat networks with no segmentation between security and general IT

• Devices exposed directly to the internet without access controls

• No monitoring for anomalous behaviour

• Firmware left unpatched for months or years

Against any recognised framework, these are not acceptable configurations. They represent identifiable, documented failures at the most fundamental level -failures that create real exposure for the organisations relying on these systems.

The attack on M&S did not begin with the ransomware deployment. It began months earlier, with reconnaissance and credential theft that went undetected. The same pattern applies to a poorly configured access control network. Visibility is the precondition for everything else. Most security deployments do not have it.

Why the Entertainment Industry Has the Same Problem

Professional audio and entertainment technology has followed the same trajectory as physical security -networked infrastructure managed with analogue-era assumptions.

Dante, AES67, AVB/MILAN, NDI. Powerful protocols that enable remarkable deployments. None of them were designed with adversarial conditions in mind.

A live event audio network running across an unmanaged switch on a flat Ethernet segment is not simply a technical limitation. Against any recognised framework, it fails at the most fundamental level: there is no boundary, no access control, and no visibility.

In live performance environments this creates operational risk. In permanent installations -theatres, stadia, conference centres, houses of worship -it creates long-term exposure that compounds over time.

The JLR attack is instructive here. The disruption to production lines did not require attackers to understand how cars are made. It required access to the systems that coordinated the process. The same principle applies to a networked audio or AV installation. An attacker does not need to understand the technology. They need access to the network it sits on.

The entertainment sector has historically been outside the scope of formal cybersecurity regulation. That position is becoming harder to sustain as infrastructure converges and end users begin asking questions that integrators struggle to answer.

What a Cyber Framework Actually Requires

The language of frameworks can obscure their practical demands. The major standards each take a different approach, but the operational requirements converge:

NIST Cybersecurity Framework (CSF 2.0) -Six core functions: Govern, Identify, Protect, Detect, Respond, Recover. The Govern function, added in version 2.0, reflects what both M&S and JLR lacked: cybersecurity as a board-level organisational discipline, not an IT department task.

ISO/IEC 27001 -The international standard for information security management. Increasingly required for enterprise and public sector contracts. Certification-capable, and a meaningful differentiator in competitive tender processes.

Cyber Essentials -UK Government-backed. Five technical controls. A genuine baseline, not a ceiling -but meaningful for SMEs and supply chain qualification. Several of the controls that would have limited the M&S attack are within its scope.

IEC 62443 -Specifically developed for operational technology and industrial control systems. Directly applicable to building management, integrated security platforms, and any environment where physical and digital systems converge. The most relevant standard for the sector, and the least widely understood.

NCSC Guidance -The UK's National Cyber Security Centre publishes sector-specific guidance that forms the practical foundation for compliance in UK-based deployments. Increasingly referenced in procurement and contract requirements.

Zero Trust - Zero Trust is not a product. It is an architectural principle - and an increasingly unavoidable one. The premise is straightforward: no device, user, or system is trusted by default, regardless of whether it sits inside or outside the network boundary. Access is granted on verification, not assumption.

For environments where AV, security, and building management systems share infrastructure with corporate IT — which describes most modern integrated deployments — Zero Trust is no longer a theoretical aspiration. It is becoming a procurement expectation, and in some sectors, a contractual requirement.

Stripped back, what each framework demands are consistent:

• Know what is on your network -every device, every connection, every data flow

• Apply controls appropriate to the risk -segmentation, access management, hardened configurations

• Monitor for anomalous behaviour -logging, alerting, visibility into what is actually happening

• Have a tested plan for when something goes wrong -roles, responsibilities, escalation

• Be able to restore normal operation without compounding the damage

Most systems in the field today cannot satisfy the first requirement. The remainder follow from it.

The Legislation Is Moving

The UK Cyber Security and Resilience Bill is currently progressing through Parliament.

It represents a significant expansion of the Network and Information Systems regulations, bringing more sectors and more organisations within scope of enforceable cybersecurity requirements. Proposed penalties reach £17 million or 4% of global annual turnover for serious breaches.

M&S and JLR have provided Parliament with case studies it did not need to construct theoretically. Both attacks occurred in the twelve months prior to the Bill's progression. Both affected critical UK economic infrastructure. Both are already informing the political context in which the legislation is being debated.

The practical effect for the security and entertainment sectors is still being assessed. But the direction of travel is unambiguous. Organisations that operate networked infrastructure -and those who supply, install, and maintain it -will face increasing scrutiny. Frameworks are how you demonstrate that you took that seriously before something went wrong.

The Gap Between Intent and Implementation

Frameworks are not self-executing. Purchasing a product that claims compliance does not make a deployment compliant.

A camera manufacturer can certify their device against a given standard. The moment that device is installed on a flat network with default credentials and no monitoring, the certification is irrelevant. The risk exists regardless of what the box said.

This is the gap that matters -not the paperwork, not the product specification, but the actual configuration of the actual network in the actual building.

M&S had IT teams, security vendors, and third-party service providers. JLR had more than 30,000 employees and the resources of a global manufacturer. Neither the scale of their operations nor the sophistication of their procurement protected them when procedural controls failed, and network boundaries were insufficient.

Most organisations in both sectors have no independent visibility of that gap. They are reliant on the same integrators who created the configuration to confirm whether it is secure. That is not assurance. It is assumption.

You Are Not Alone in This

The complexity is real. The security and entertainment industries are not staffed with cybersecurity professionals -they are staffed with people who are very good at audio, video, physical security, and systems integration. The expectation that those same individuals should also hold detailed knowledge of network segmentation, access control auditing, and framework compliance is not reasonable.

What is reasonable is recognising that the gap exists, and that independent expertise is available to help close it.

The same principle applies at every scale. A small integrator working with a single site faces exactly the same framework requirements as a large estate manager overseeing a national portfolio. The exposure is proportional. The controls are the same.

Independent assessment -of what is on a network, how it is configured, and whether it meets the standards that clients, insurers, and regulators are increasingly applying -is not a luxury. It is the starting point for any defensible position.

Conclusion

The M&S and JLR attacks are not cautionary tales from a different world. They are recent, domestic, well-documented examples of what happens when the gap between assumed security and actual security is left open long enough for someone to walk through it.

For the security and entertainment industries, the same gap exists. The infrastructure is networked. The protocols are discoverable. The configurations are often default. The monitoring is frequently absent.

Cyber frameworks provide the map. Assessment provides the honest reading of where you currently sit against it. And the organisations that begin that process before something goes wrong are in a significantly stronger position -commercially, operationally, and legally -than those who wait.

If you are not certain where your systems currently stand, that uncertainty is the answer.

The gap between what M&S assumed was controlled and what was actually controlled cost them £300 million and seven weeks of trading. The same gap exists across most networked security and entertainment deployments today. The difference is that theirs became public. CMC provides the independent assessment that tells you honestly where you stand - before someone else finds out first.