MITRE-Lite has two versions. You're reading the plain English edition — written for business owners, no technical knowledge needed. MITRE ATT&CK is the gold standard framework used by cybersecurity professionals worldwide. It's also highly technical by design. We built both versions so everyone in your business can act on the same intelligence. View Technical Version →
MITRE-Lite Plain English Edition ● Updated This Week

Who is targeting your business right now — and what do they want?

This page translates real, active cyber threat intelligence into plain English for UK business owners. No acronyms. No jargon. Just what you need to know and what you should do about it.

What is MITRE ATT&CK — and why does it matter to you?

MITRE is an American non-profit research organisation that works with governments and security agencies worldwide. Their ATT&CK framework is a constantly updated library of every known attack technique used by criminal groups and state-sponsored hackers — built from real incident data, not theory.

Think of it as a documented playbook of everything attackers do. When a criminal group successfully breaks into a bank, a hospital, or a business like yours, their methods get analysed and added to this library. Security professionals use it to understand what they're up against.

MITRE-Lite takes that intelligence and cuts it down to what actually matters for UK SMEs. You don't need to read a 500-page framework. You need to know who is active this week, what they're doing, and whether your business is at risk.

Last updated: 9 June 2026  ·  Week 24 / 2026  ·  Next update: 16 June 2026

Current Status

What is the threat level for UK businesses like yours?

Every week we assess the overall risk level for UK small businesses in financial services — insurance brokers, financial advisers, mortgage intermediaries, and professional services firms. This is based on real intelligence from the UK's National Cyber Security Centre (NCSC), US cyber agencies, and industry reporting.

█ Threat Level: Elevated

Attacks on UK financial services businesses are above normal levels this week

Seven criminal and state-sponsored groups are currently running active operations targeting UK businesses in your sector. Attacks involving fake payment requests, account takeover, and ransomware are all running at higher-than-normal frequency. This does not mean an attack on your specific business is imminent — but it does mean your defences are more likely to be tested than they would be in a quieter period.

What do the three levels mean?
Normal — background level of threat activity, no significant increase in targeting of your sector.
Elevated — active campaigns confirmed against UK businesses in your sector. Increased vigilance recommended.
High — significant coordinated threat activity. Specific sectors or business types being actively targeted at scale.
Most Urgent This Week

The most important thing your staff need to know right now

Each week we identify the single highest-risk attack technique that is seeing a spike in use against UK businesses. This week:

► Highest Risk This Week — Week 24 / 2026

The software your business trusts may already be compromised before you install it

The UK's National Cyber Security Centre issued an advisory this week on software supply chain attacks — and it is worth understanding what this means for your business.

A supply chain attack does not target you directly. Instead, attackers compromise software at its source — either at the company that makes it, or in one of the many smaller components that software is built from. When the software is then downloaded and installed by businesses like yours, the malicious code comes with it. You have done nothing wrong. You have downloaded a legitimate product from a legitimate source. But the product has been tampered with before it reached you.

This is exactly how the SolarWinds attack in 2020 compromised thousands of organisations worldwide, including US government agencies — through a routine software update that had been secretly poisoned. The same technique continues to be used today.

For most small businesses, the practical risk is not that your accounting software has been tampered with at source — it is that your IT provider, your cloud platform, or a third-party tool you use is itself running compromised software. You inherit their risk. If they are compromised, the attacker is already inside the tools you use every day.

What to do right now: Ask your IT provider or managed service provider whether they have reviewed their own software dependencies following the NCSC advisory published 4 June 2026. If they look blank, send them the link: ncsc.gov.uk/blogs/software-supply-chain-attacks-check-your-dependencies. The question alone tells you something important about how on top of this they are.
Also this week — Oracle WebLogic vulnerability: A serious security flaw has been confirmed in Oracle WebLogic Server (CVE-2024-21182) that allows attackers to access all data on affected servers without needing a username or password. If your business uses any Oracle-based software or cloud platforms, ask your IT provider whether WebLogic is in use and whether this has been patched. Most SMEs will not use WebLogic directly — but your software suppliers may.
Active Threats

Who is actively targeting UK businesses like yours?

These are confirmed, active criminal and state-sponsored groups currently running operations against UK financial services businesses. They are not hypothetical — these groups have successfully attacked businesses similar to yours in recent months.

State-sponsored — what does that mean? Some hacking groups are funded and directed by foreign governments — Russia, China, and Iran being the most active against UK businesses. Their goal is usually stealing information (business data, client records, communications) rather than quick financial gain. They are more patient and harder to detect than pure criminal groups. UK businesses are targeted not because they are interesting to a foreign government directly, but because they hold data about clients, transactions, or sectors those governments want to understand.
TA4903 — The Payment Fraudsters
Criminal group  ·  Business Email Compromise specialists
High Risk to You

This group specialises in one thing: intercepting payments. They break into a business email account — usually by phishing someone's password — then quietly read emails for days or weeks, learning how the business operates. When they see a payment being arranged — a solicitor's invoice, a supplier payment, a client refund — they step in at the right moment and change the bank account details to their own. The money lands in their account, not the intended recipient's. By the time anyone notices, it's gone.

Insurance brokers and financial services firms are their primary target because they handle client money, arrange regular payments, and deal with solicitors and other third parties who are also being impersonated.

What this could cost you: The average intercepted payment in UK professional services is £35,000–£90,000. Many cyber insurance policies cover this, but only where you can demonstrate basic controls were in place. Some businesses have lost over £200,000 in a single incident.
LockBit 3.0 Affiliates — The Ransomware Network
Criminal network  ·  Ransomware-as-a-Service
High Risk to You

LockBit is not a single group — it's a criminal franchise. The developers build and maintain the ransomware software, then rent it out to dozens of "affiliate" attackers who do the actual breaking-in. The affiliates keep most of the ransom money; LockBit takes a cut.

Ransomware means your files get encrypted — locked with a code only the attacker knows — and you cannot access anything: client records, accounts, emails, documents. You're handed a ransom demand, typically between £20,000 and £150,000, with a countdown timer. Pay, and you might get your files back. Don't pay, and your data may be published publicly.

SMEs are actively preferred targets because they typically have weaker defences than large corporations, but still have money and data worth holding to ransom.

What this could cost you: UK SMEs paid an average of £47,000 per ransomware incident in 2025. Recovery typically takes 3–4 weeks even after paying. The reputational damage from client data being published publicly is separate and harder to quantify.
Scattered Spider — The Social Engineers
Criminal group  ·  Identity theft and account takeover
High Risk to You

Scattered Spider are unusually effective because they don't rely heavily on technical hacking — they manipulate people. They are known to call IT helpdesks pretending to be a staff member who has been locked out, convincing support teams to reset passwords and bypass security checks. They also use SIM swapping — convincing a mobile network to transfer someone's phone number to a SIM card they control, giving them access to SMS-based login codes.

Once they have account access, they move quickly to steal data, set up persistent access, and often deploy ransomware from other groups as a final step.

What this could cost you: Full account takeover typically leads to data theft, ransomware, or both. The combination can result in regulatory investigation (ICO), client notification obligations, and claims against your professional indemnity insurance.
ALPHV / BlackCat — Ransomware with a Twist
Criminal group  ·  Ransomware with data theft threat
Medium Risk to You

Similar to LockBit but with an additional pressure tactic — before encrypting your files, they first steal a copy of your data. This means even if you have backups and refuse to pay the ransom, they threaten to publish your client data, financial records, or confidential communications publicly unless you pay.

They target professional services firms specifically because client confidentiality is a regulatory requirement — making the threat of publication particularly damaging.

What this could cost you: A data publication event affecting client records could trigger ICO investigation and fines under UK GDPR, plus FCA scrutiny if you are regulated. The reputational cost with clients is immediate.
APT29 / Cozy Bear — Russian State Intelligence
Russian government-backed  ·  Long-term data theft
Medium Risk to You

This group works for Russian foreign intelligence (SVR). They are sophisticated, patient, and specifically interested in financial sector data — transaction information, client lists, business communications, and anything that gives Russia economic intelligence about UK businesses and their clients.

They typically enter through carefully crafted phishing emails that look completely legitimate, then sit quietly inside a network for weeks or months gathering information before they're detected — if they're ever detected at all. The goal is intelligence gathering, not financial theft.

What this could cost you: You may not know they've been in your systems. The risk is the data they take — client information, deal details, communications — being used by a hostile foreign government, or sold on.
MuddyWater — Iranian Intelligence
Iranian government-backed  ·  Espionage and disruption
Medium Risk to You

Linked to Iran's Ministry of Intelligence, MuddyWater targets professional services and financial firms primarily through phishing emails and by exploiting known security weaknesses in popular business software. Their goals are a mix of intelligence gathering and causing disruption to UK and Western business operations.

What this could cost you: Data theft and potential system disruption. The risk level for individual SMEs is lower than the criminal groups above, but activity has increased against UK financial services this quarter.
APT40 — Chinese State Intelligence
Chinese government-backed  ·  Financial data and IP theft
Medium Risk to You

Linked to China's Ministry of State Security. APT40 focuses on stealing financial data and business intelligence. They primarily get in through unpatched software on internet-facing systems — VPNs, firewalls, and web applications that haven't been updated. Once in, they move systematically through the network looking for valuable data.

What this could cost you: Primarily a data theft risk. Client financial records, business strategy documents, and communications are the typical targets.
How Attacks Work

How does a cyber attack actually unfold?

Most people imagine a cyber attack as a sudden dramatic event — a hacker hammering at a keyboard and then everything goes dark. The reality is more like a quiet burglary. Here is what actually happens, step by step, in most attacks on businesses like yours.

Step 1 — How They Get In
Finding an unlocked door

Attackers don't usually "break in" dramatically — they find something that's already open. The three most common entry points are: a phishing email that tricks someone into entering their password on a fake website; software on your systems that hasn't been updated and has a known security hole; or a password that was stolen in a previous data breach somewhere else and is still being used.

Real example: A staff member receives an email that looks like a Microsoft 365 login expiry notice. They click the link, enter their username and password on what looks like the Microsoft login page — but isn't. The attacker now has their credentials.
Defence: Staff training on phishing, multi-factor authentication, regular software updates
Step 2 — What They Do Once Inside
Looking around quietly

Once in, most attackers don't immediately do anything visible. They explore — looking at what files exist, what systems are connected, who has what level of access, and what data is valuable. They may try to gain higher levels of access — moving from a junior staff member's account towards an administrator account that can access everything. This phase can last days, weeks, or even months.

Real example: Having accessed an accounts team member's email, the attacker reads months of emails to understand payment processes, supplier relationships, and upcoming transactions. They're waiting for the right moment.
Defence: Monitoring for unusual login behaviour, limiting who has access to what, endpoint protection software
Step 3 — Making Sure They Can Come Back
Installing a back door

Many attackers create a secondary way back in — a hidden account, a remote access tool, or a piece of software that gives them a persistent foothold. This means that even if you change the password that was compromised, they may still have access. It's the equivalent of a burglar making a copy of your key before leaving.

Real example: Before deploying ransomware, an attacker creates a new hidden administrator account on your systems. You remove the ransomware and think the incident is over — but they still have access and return six months later.
Defence: Thorough incident response — not just removing malware but auditing all accounts and access, GET-IT post-incident review
Step 4 — The Damage
What they came for

The final stage depends on who the attacker is and what they want. Criminal groups typically either deploy ransomware (locking you out of everything and demanding payment), commit financial fraud (intercepting payments or making fraudulent transactions), or steal and sell your data. State-sponsored groups usually take data quietly without ever revealing they were there.

Real example: Having monitored emails for three weeks, the attacker intercepts a message from your firm to a client about a £60,000 investment transfer. They send a follow-up email from your address with updated bank details. The client transfers the money to the attacker's account.
Defence: Payment verification procedures, staff awareness, cyber insurance with BEC cover
Potential Impact

What do they actually want — and what does it cost?

Understanding the attacker's goal helps you understand what you're protecting against. These are the three primary outcomes attackers are working towards when they target UK financial services SMEs.

🔒
Ransomware — Lock Everything and Demand Payment

All your files, emails, and systems are encrypted. You cannot access anything. A ransom demand arrives — typically between £20,000 and £150,000 — with a deadline. Even if you pay, recovery is not guaranteed. Even if you have backups, restoring everything takes weeks.

Average UK SME cost: £47,000 ransom + £28,000 recovery costs + 3–4 weeks downtime
💰
Business Email Compromise — Steal a Payment

An attacker with access to your email intercepts a payment at the right moment, swapping legitimate bank details for their own. The money arrives in their account. Bank reversals succeed in fewer than 40% of cases. This is the number one financial loss vector for UK financial services SMEs.

Average intercepted payment: £35,000–£90,000. Some cases exceed £500,000.
📄
Data Theft — Steal and Threaten to Publish

Client records, financial data, confidential communications, and personal information are copied and taken. The attacker either sells this data, uses it for further fraud, or threatens to publish it unless you pay. Publishing client data may trigger ICO investigation and FCA scrutiny.

ICO fines up to 4% of global turnover under UK GDPR. Reputational damage is immediate and lasting.
What GET-IT Covers

What does GET-IT protect you against — and what doesn't it cover?

No security provider covers everything — and we think it's important to be honest about that. Here is a plain English summary of what the GET-IT stack addresses, where it partially helps, and where there are genuine gaps that we would want to discuss with you.

Phishing email detection and filtering
We can significantly reduce the number of malicious emails that reach your staff's inboxes, and identify links to fake login pages before they're clicked. This addresses the most common entry point for attacks on your type of business.
Ransomware detection and response
Our endpoint protection software detects ransomware behaviour before it can encrypt all your files, and can isolate affected devices to stop the spread. Combined with tested backups, this is the primary defence against LockBit and ALPHV.
Stolen credential alerts
We monitor whether your business email addresses appear in known breach databases. If a staff member's password has been stolen and is being traded by criminals, we alert you before it's used against you.
Suspicious login monitoring
We monitor for unusual login patterns — a staff member logging in from an unexpected country, at 3am, or from two locations at the same time. These are classic signs that an account has been compromised.
MFA fatigue attacks — partial cover
We can implement number-matching MFA (where you must type a code shown on screen rather than just tap Approve) which eliminates push-bombing as an attack vector. However, this requires your existing MFA setup to support it — and staff briefing is essential regardless. Technology alone doesn't solve this one.
Business email compromise prevention — partial cover
We can implement email authentication controls (SPF, DKIM, DMARC) that make it significantly harder for attackers to impersonate your domain. However, if an attacker has actually broken into a legitimate email account, no technical control prevents them from sending genuine-looking emails from inside it. Payment verification procedures and staff awareness are the essential second layer here.
Data exfiltration via cloud services — current gap
If an attacker copies your files out through Microsoft OneDrive, SharePoint, or Google Drive, this traffic looks identical to normal business use and is extremely difficult to detect without specialist cloud access monitoring tools. This is an honest gap in the current stack — and one worth discussing if you handle large volumes of sensitive client data.
Insider spread via internal email — current gap
Once an attacker controls a legitimate email account inside your business, the emails they send to your colleagues look completely real — because they are coming from a real account. Technical filtering cannot reliably catch this. The defence is staff awareness: understanding that an unexpected request from a colleague's email address, especially involving money or access, should always be verified by phone before acting on it.
Intelligence Sources

Where does this intelligence come from?

MITRE-Lite draws on three public intelligence sources, all updated regularly by government cybersecurity agencies. We filter and translate them so you don't have to read them yourself.

1
Active NCSC UK advisory this week

The UK's National Cyber Security Centre →
The UK government's official cybersecurity agency. Their advisories are the most authoritative source of threat intelligence for UK businesses.
1
Software vulnerability actively being exploited

CISA Known Exploited Vulnerabilities →
The US cybersecurity agency's list of software security holes with confirmed evidence of active criminal exploitation. Many affect software your business uses every day.
↑34%
Rise in BEC attacks on insurance brokers YoY

FCA ScamSmart →
The Financial Conduct Authority's fraud intelligence. Directly relevant to regulated firms and their clients.
Action This Week

Three things you should do this week

Based on the current threat picture, these are the three highest-value actions for a UK financial services business right now. You do not need a technical background to do any of them.

1
Ask your IT provider one simple question about their software supply chain

Contact whoever manages your IT — whether that is an in-house person, a managed service provider, or an IT support company — and ask: "Have you reviewed your own software dependencies following the NCSC supply chain advisory published this week?" You do not need to understand what that means in detail. The point is to see whether they are on top of it. If they are not aware of the advisory, that is important information. A good IT provider will have already seen it and be able to tell you what action they have taken. Send them the link if needed: ncsc.gov.uk/blogs/software-supply-chain-attacks-check-your-dependencies

Why now: NCSC published a specific advisory on 4 June 2026 on software supply chain attacks. The risk to SMEs is primarily inherited through IT providers and third-party software tools rather than direct targeting.

2
Make a list of every piece of software your business depends on — and who supports it

Most small businesses cannot immediately answer the question: "If your accounts software stopped working tomorrow, who would you call?" Or your client management system. Or your email. A supply chain attack can take out any of these silently and without warning. Knowing what you have, who is responsible for keeping it updated, and what you would do if it were compromised is the foundation of any recovery plan. This does not need to be a formal document — a simple list in a spreadsheet is enough. Name the software, name the supplier, name your IT contact for each one.

Why now: Supply chain attacks specifically target the tools businesses rely on most. Knowing your dependencies is the first step to assessing your exposure.

3
Verify your payment process has a second check for changed bank details

This remains the single most effective procedural defence against business email compromise — which continues to run at elevated levels against UK financial services firms. Any request to change a bank account — from a supplier, a client, a solicitor, or even internally — should require verbal confirmation via a phone number you already have on record. Not a reply email. Not a call to a number in the same email. A call to the number you already have. Many businesses believe their staff do this already. Most do not have it written down as a formal procedure — which means it does not happen consistently under pressure.

Why now: BEC attacks on insurance brokers remain at elevated levels. TA4903 continue to run active operations against UK financial services firms. This procedure costs nothing and can prevent a five or six-figure loss.

Want to know how exposed your business actually is?

A GET-IT resilience scan maps your current defences against the active threat techniques on this page and tells you exactly where your gaps are — in plain English, with costs to fix them.

Book a Free Resilience Scan → View Technical Version