I was recently fortunate enough to hear Paul Abbott, the former Director of Knights of Old, discuss the insider perspective of the Knights of Old cyber-attack.
In mid-2023, Knights of Old, a 158-year-old UK logistics firm, was forced to cease operations after a devastating ransomware attack. Despite significant investment in IT infrastructure, certifications, and disaster recovery planning, the company was unable to recover. Consequently, over 700 employees lost their jobs.
This case serves as a stark reminder that cyber resilience is not solely an IT concern. It is a strategic risk that must be addressed at board level.
#What Happened
On 26 June 2023, the Akira ransomware group infiltrated the company’s systems using stolen credentials, reportedly obtained through weak password practices. Once inside, they encrypted critical systems, including logistics coordination and financial reporting tools.
Although the company held cyber insurance and invested over £100,000 annually in IT, the attack rendered essential financial data unusable. This prevented the business from invoicing, securing funding, or meeting lender obligations. By September 2023, the company had collapsed.
#What Was Done Well
Knights of Old had implemented several best practices:
- On-going investment into their IT infrastructure
- Cyber Essentials accreditation
- ISO 27001 certification
- A documented and tested Disaster Recovery (DR) plan
- A capable internal IT team supported by a Managed Service Provider
Despite these measures, the business was unable to continue operating.
#Where It Went Wrong
Cyber Risk Was Not a Boardroom PriorityAlthough technical controls were in place, cyber risk was not regularly discussed at board level. The business remained focused on operational delivery, rather than digital resilience.
Disaster Recovery Is Not the Same as Business ContinuityThe company had a DR plan, but lacked a comprehensive Business Continuity Plan (BCP). As a result, critical functions such as invoicing and cash flow management could not continue during the outage. A False Sense of SecurityCertifications and insurance created a perception of preparedness. However, true resilience requires executive engagement, scenario planning, and alignment between technology and business operations.
#Strategic Lessons for Business Leaders
Make Cyber Risk a Standing Board Agenda Item
Boards should regularly review cyber threats, resilience strategies, and incident response capabilities.
Ensure Business Continuity Planning Goes Beyond IT
A Business Continuity Plan must address how the business will continue to operate during a disruption, including financial operations, customer communication, and supply chain continuity.
Test the Whole Business, Not Just the IT Team
Conduct cross-functional simulations involving finance, operations, and leadership. Ask the question: if systems failed today, how would we continue to operate?
Do Not Rely Solely on Insurance or Compliance
These are important, but they do not replace the need for real-time response capability and executive ownership of cyber risk.
#Final Thought
The collapse of Knights of Old was not due to a lack of investment in IT. It was the result of a disconnect between technology, leadership, and operational continuity. In today’s environment, every business is a digital business. Cyber resilience is not optional. It is essential for survival.