Jaguar Land Rover, the iconic British car manufacturer has had virtually no production in its plants since the end of August 2025. A devastating cyberattack shut the company down – details on how the attack happened, who initiated the attack, and why it so thoroughly shut down Jaguar Land Rover have not been released to date. The postmortem will be an interesting read, more so to find out how much of the effect of this cyberattack was Jaguar Land Rover’s fault. No, this isn’t indulgent victim-blaming, and right now there is no proof the Jaguar Land Rover was anything but diligent. But the length of the shutdown and the secrecy does arise suspicions. Under principles of good business continuity and disaster recovery, Jaguar Land Rover should have been at least somewhat back in production by now. But analysis will really have to wait until details emerge.
This does highlight an issue that most organizations struggle with. Cybersecurity, as well as disaster recovery and business continuity, are preventative – they shouldn’t be noticed unless they are needed… or if they didn’t work. It’s hard to get satisfaction creating business continuity/disaster recovery (BC/DR) systems that you may never get to actually use. Security has a much higher profile… but ‘everything is running smoothly’ doesn’t often gain accolades.
Cybersecurity, and especially BC/DR are often pressured to compromise, for finance, for convenience, and because neither function will ever make money for the organization. Often there is a push to compare cybersecurity and BC/DR to an automotive or homeowner’s insurance policy, that they offer peace of mind. There is a better way to think about it. Think of cybersecurity and BC/DR like law enforcement thinks about bomb squad units. Bomb squad units get all the training and practice they want. Bomb squad units are encouraged to get the latest training, learn the latest advances, and to keep their equipment as up to date as possible. Nobody thinks that the bomb squad has it easy when they render an explosive safe, or in the best of times are not called on. Nobody suggests that the bomb squad does more with less. Because the consequences are so extreme, both for the bomb squad and for the law enforcement organization.
Budget holders need to start viewing cybersecurity, BC/DR, and BC/DR testing like the bomb squad. Yes, they provide peace of mind. But what they really provide is protection from extreme consequences. Nobody wants the organization in the news for having been knocked offline for a month in every major news outlet. Nobody wants to have to create the postmortem and present it to the board and likely various government officials, insurance executives, investor representatives and lawyers. Let’s not let this plea to take cybersecurity and BC/DR seriously fall on deaf ears like it has in the past.