Cloud outages, messy AI rollouts and record-breaking cyberattacks made 2025 a stress test for everything we’ve centralised in tech. In this post, we unpack what really went wrong, who paid the price, and the uncomfortable lessons for your cloud, AI and cybersecurity strategy in 2026.
“All In on the Cloud” Meets Reality
2025 showed that – while cyberattacks can (and certainly are) the source of major outages, sometimes, a bug, software update or configuration change can be enough to bring down an entire platform. And then it’s often not just an issue of a single provider being affected, but other platforms failing because they have links to whichever provider – other than the below examples, a prime example was the case of CrowdStrike last year, causing a global IT outage.
Examples
- Google Cloud 12 June – cause: policy data with unintended blank fields causing crashes when the code path was exercised – with consequences for Spotify, Discord, Snapchat – among others.
- Azure – 28-29 October – cause: sequence of customer configuration changes resulting in incompatible configuration metadata – affected were companies such as Alaska Airline (website and essential systems offline), Heathrow Airport (downtime), Vodafone – it also affected Office 365 with effects for users worldwide.
- Cloudfare – 18 November – cause: change to database system permissions – with resulting unavailability of Canva, Zoom, X, and ChatGPT, among others.
- AWS – 20 October – cause: DNS error, affected over 1,000 companies and millions of internet users
The Cost of Monoculture
One has to ask the question: has a „cloud-first“ approach quietly become a „cloud-only, single-vendor“ one for many organisations?
By over-relying on one identity provider, one hyperscaler or one content delivery network, one outage is enough to disrupt your business to the point you can’t operate.
But it’s not just about that, it’s also about hidden dependencies - think everyone using the same DNS, same logging provider or the same AI foundation model.
What You Should Start Doing to Increase Resilience
If you want to be prepared for an eventual outage, here are some of our recommendations:
- Design for graceful degradation: That means in the event of an outage, core customer journeys will still work in read-only or degraded mode.
- Be multi-cloud or „poly-cloud“ by design – we’ve discussed the advantages and disadvantages in this blog post, but in a nutshell: you’re diversifying your risk with this strategy
- This one’s especially important: build offline and manual fallbacks for critical operations, especially if you operate in finance, healthcare, and public services (don’t be like Heathrow)
- Make vendor due diligence and exit planning (avoiding vendor lock-in) a top priority rather than procurement admin.
The magic term for businesses in 2026? Resilience.
Cybersecurity – From “If” to “How Badly and How Often”
Akira ransomware surge, January 2025
Akira was linked to 72 ransomware attacks globally in January alone, making it one of the most active groups at the start of the year. One of those victims was also 158-year-old transport business Knights of Old, as former director of the company, Paul Abbott, addressed in our webinar in October – which went into administration as a result – albeit already in 2023. It goes to show how quickly a single family of ransomware can dominate the threat landscape.
Major Retailers and Manufacturers Affected
This year both Marks & Spencer and Jaguar Land Rover were hit by serious ransomware-style attacks that exposed how fragile big UK brands are to cyber risk. In April 2025, M&S was crippled by a cyberattack that took its online operations down for more than three weeks, exposed some customer personal data (but not card details or passwords), and is estimated to have cost at least £30 million due to lost sales and other associated costs, with ongoing losses of around £15 million a week while systems were offline. In November, the company reported a statutory profit before tax of £3.4m for H1 2025 compared to the last year, a hefty 99% drop due to the associated costs of the attack. While the retailer also received a £100m cyber insurance payout, it’s only covered the costs of the attack so far.
In late August 2025, Jaguar Land Rover was then hit by an even larger attack that started on 31 August, forcing factory shutdowns in the UK and overseas for weeks, disrupting thousands of supply-chain jobs and being described as the most damaging cyberattack in British history, with a total economic impact of nearly 2 billion pounds, affecting not just JLR but its supply chain comprising 5,000 firms as well. The carmaker reported a £485m loss in November compared to a profit of £398m the previous year.
Local Government Under Fire: London Councils Attack, November 2025
It’s even more concerning from the angle of critical civic infrastructure being digital now.
Just recently, a coordinated cyber incident affecting three London borough councils (Kensington & Chelsea, Westminster, Hammersmith & Fulham), knocked out/degraded services such as telephony, forcing emergency protocols.
The Risks – Recap
Supply-chain and SaaS risk
Disruption for businesses wasn’t necessarily the result of cyberattacks. Instead, we saw the weakest link often being a software vendor, cloud provider or managed service causing disruptions.
Ransomware
According to the NSCS Annual Review 2025, ransomware presents one of the biggest cyberthreats as demonstrated by attacks on big retailers M&S and Co-Op. However, company size isn’t always the determining factor of who is chosen as the victim, as the ransomware attack on Peter Green Chilled, supplier of several UK supermarkets, showed.
Data Exfiltration as Default, not Exception
Breaches increasingly involve data theft before encryption, making “we paid so operations are back” an incomplete story. The true extent of data theft is often not clear until weeks or months later.
What Higher Cybersecurity Awareness Means in 2026
- Security reviews that question the concentration of risk (same cloud, same Identity Access Management (IAM), same Application Performance Management (APM), same AI platform
- Hold incident response exercises like regular fire drills
- Clear board-level accountability for cyber risk rather than outsourcing it to insurance or vendors
- Implement proactive threat monitoring in the form of a Security Operations Centre (SOC) to monitor your security stance 24/7.
- Managing systems, patching vulnerabilities and configuration-driven security issues is becoming more important than ever - ensure you keep on top of it.
AI – Beyond the Hype Cycle, Into Hard Trade-Offs
Frontier Models and an Arms Race
2025 saw an ongoing competition in large models: Google’s Gemini 2.5 Pro, OpenAI, Anthropic and others were battling for benchmark and adoption leadership.
Anthropic’s release of Claude Opus 4.5 in November 2025 was marketed as its most intelligent model yet, aimed directly at complex enterprise workflows and long-running agents, with huge chip purchase commitments behind it.
But what’s the reality? Are businesses actually picking up AI at the speed at which it’s seemingly taken over the entire technology sector?
Enterprise AI Adoption: From Experiments to Messy Reality
Surveys such as McKinsey’s 2025 State of AI and Wharton/WRITER’s adoption report show AI tools becoming commonplace, but most organisations are still struggling to scale them in ways that deliver material ROI. From our own customer conversations, we can say that the curiosity is there, but AI capabilities are unfortunately not quite up to par yet – and there’s definitely a need for training, too.
WRITER’s survey found 68% of C-suite leaders reporting that AI adoption has caused internal division as power shifts between IT, business units and employees.
This really is a controversial topic and highlights the need for a human-friendly approach to AI adoption. An example of what not do was when Klarna decided to replace 700 workers with AI but then started backpedalling after it led to deteriorated customer service.
Regulation Catches Up, Slowly and Inconsistently
Legislation has not kept up with the speed of AI development and implementation, which has become widely popular with ChatGPT’s launch in 2022, so we’re seeing some much-needed movement in that respect
The EU AI Act now has a defined implementation timeline, with full application slated for 2026 and a new “digital omnibus” proposal in late 2025 to streamline privacy, cyber, data and AI rules.
So, while we definitely see progress in terms of regulation, it’s at different speeds globally – this creates uncertainty for multinationals, especially in finance and healthcare. This also doesn’t address the cybersecurity risks associated with AI use.
Your Lessons for 2026 and How Not to Be the Next Headline
Re-diversify your technology risk
- Move from “single cloud, single region” thinking to architected redundancy – again, resilience is the key word.
- Question everything where the answer is “we standardised on [one vendor] because it was easier”.
- Treat AI like infrastructure rather than magic and as supportive technology rather than replacement.
- Demand clear unit economics and ROI for AI projects.
- Insist on model and vendor diversity where it matters, to avoid being locked into one AI ecosystem whose incentives you do not control.
- Use AI as assistive technology rather than replacement for staff.
- Assume breach, design for recovery.
- Shift mindset from “how do we stop attacks” to “how do we limit the blast radius and recover fast” – we recommend you subscribe to our newsletter, as that will be the focus for us at Innovate in the coming months
- Make vendor risk, SaaS dependencies and data residency part of cyber planning, not a legal footnote.
- Consider cyberattack/data leak risks when implementing AI tools and implement protection accordingly.
Some Last Thoughts
2025 was not an unlucky year. It was the logical outcome of a decade of convenience-driven centralisation. If you’re interested in assessing if you may be overcentralised or are looking for more diverse, resilient, and transparent digital foundations – get in touch.