When I was a child, my dad kept an aquarium. It was his geeky hobby, and I'm grateful he had it because it normalised having my own obsessions - including my own aquarium and other interests that eventually merged into my career. One aspect of fishkeeping in the UK was travelling the country looking for good aquarium shops. Fishkeeping occupies an odd space: not popular enough for superstores on every industrial estate, but not so obscure it's online-only. There are brilliant independent shops with distinct specialities, characters, and geeky charm.
We'd often spend weekends on family road trips to different fish shops, and I loved it. One thing that's stuck with me from those journeys were these specific lorries you'd see on the motorways and A-roads - massive things with distinctive deep blue liveries and "Knights of Old" emblazoned along the sides in huge gold letters. They were everywhere, a constant presence on Britain's roads using the same routes we were, covering far greater distances.
They're gone now. All of them. And it happened because someone guessed a password.
A 158-Year Timeline Cut Short
In 1865, Knights of Old started with a single horse and cart. For over a century and a half, the company adapted and endured, surviving world wars, economic depressions, and technological revolutions. By 2023, it operated as part of KNP Logistics Group, running 500 trucks across the UK and employing over 700 people.
In June 2023, the Akira ransomware group gained access to KNP's systems. They didn't use a sophisticated phishing campaign or exploit a zero-day vulnerability. They simply guessed an employee's password on an internet-facing system that lacked multi-factor authentication.
Once inside, the attackers deployed ransomware across the company's entire digital infrastructure. They encrypted critical business data and destroyed the backups and disaster recovery systems, ensuring no path to recovery without paying their estimated £5 million ransom - money the transport company didn't have.
By September 2023, KNP entered administration. Seven hundred people lost their jobs. A company that had survived 158 years disappeared in a matter of weeks.
We're All on the Frontlines Now
In physical warfare, nations mobilise armies, deploy resources, and wage campaigns. Individual businesses aren't on the frontlines unless they're directly involved in defence or caught in a conflict zone. The civilian economy operates behind those lines, protected by national defence infrastructure.
Cyber warfare operates differently. Nation-states conduct cyber operations alongside their physical campaigns, but they're joined by organised criminal groups, political activists, and even bored individuals with technical skills. There are no frontlines in the traditional sense, no safe distance from the battlefield.
In 2025, every single business - from solo entrepreneurs to multinational corporations - is expected to harden their systems against organised, funded adversaries. The threat doesn't scale with your size. A logistics company in Northamptonshire faces the same ransomware groups that target international banks. The tools are democratised, the barriers to entry are low, and the potential payouts make every business a viable target.
This isn't hyperbole. Government surveys estimate that 19,000 UK businesses suffered ransomware attacks in 2024 alone. The victims span every size and sector - from high-profile retailers like M&S, Co-op, and Harrods to one of the UK's largest privately-owned logistics firms. If you're thinking "surely we're safe," remember that KNP survived two world wars but couldn't survive a cyber war.
How to Avoid KNP's Fate
The collapse of KNP wasn't inevitable. A handful of practical measures, implemented properly, would have prevented the catastrophic cascade that destroyed the company. These aren't theoretical best practices - they're concrete steps that any organisation can take.
Passwords: Beyond "Make Them Strong"
The National Cyber Security Centre's guidance on passwords has evolved significantly. The old advice about complex passwords with symbols and numbers created a system where people wrote down "P@ssw0rd123" and thought they were secure. The new guidance is more practical and, surprisingly, more permissive.
Yes, you can write passwords down now. A strong password in the back of a notebook is genuinely better than a weak password you've memorised. The NCSC specifically recommends this for passwords you don't use regularly. The threat model has shifted: physical access to your notebook is far less likely than remote credential attacks.
But the better solution is a password manager. These tools generate and store complex, unique passwords for every service, protected behind a single strong master password (which you should write down somewhere safe). Products like 1Password, Bitwarden, or even your browser's built-in password manager eliminate the human factor in password creation and reuse.
For businesses, enforce password policies that prevent weak credentials. Block common passwords, require adequate length (the NCSC recommends at least 12 characters for passwords used by staff), and prevent password reuse across systems. These policies should be technical controls, not just written rules in a handbook.
Multi-Factor Authentication: Not All MFA Is Equal
KNP's lack of multi-factor authentication on internet-facing systems was catastrophic. Even with a guessed password, MFA would have blocked the attackers' entry. But not all MFA provides equal protection.
SMS-based MFA is barely better than no MFA at all. It's vulnerable to SIM swapping attacks and provides a false sense of security. Think of it as a sign politely asking attackers not to hack you - they'll ignore it if they're determined.
Time-based one-time passwords (TOTP) - what you get from apps like Google Authenticator or those hardware code generators people had in the noughties - are significantly better. They're not invulnerable, but they raise the bar considerably for attackers.
For critical systems - root accounts, backup services, financial systems - use passkeys or hardware MFA devices. These cryptographic methods are substantially more secure and should be standard for anything that could cause catastrophic damage if compromised.
A side note: any service that charges extra to enable MFA should be boycotted. Atlassian is a notable example. Holding people's security to ransom is a practice that rewards criminals and punishes responsible security behaviour. If a service treats security as a premium feature rather than a baseline requirement, find an alternative.
System Traversability: One Password Should Never Control Everything
Here's the critical point that's often missed: you might be thinking you'd hate to be the person whose password was guessable. But that isn't the real issue. All security failures are organisational failures.
There should have been policies, administrative controls, and technical controls preventing a single password from granting access to everything. The fact that attackers could traverse from one compromised account to the entire infrastructure - including backups and disaster recovery systems - represents a fundamental architectural failure.
The principle is simple: one compromised account shouldn't give attackers access to everything. Your backup systems should be completely separate from your main systems - if an attacker gets into your production environment, they shouldn't be able to touch your backups. Administrative accounts that can make system-wide changes should be strictly limited and monitored. An employee's account should only access what they actually need for their job.
The NCSC provides specific guidance on how to structure your systems this way. The goal is straightforward: when an account gets compromised (and you should assume it will eventually), the damage is contained. Attackers can't hop from one system to another until they control everything. They can't reach your backups. They can't destroy your entire business.
For solo entrepreneurs and small businesses, this might mean using separate accounts for different services, ensuring your backup provider is completely independent from your main systems, and never using the same credentials everywhere. For larger organisations, it requires proper architecture and possibly external expertise, but it's far cheaper than rebuilding from scratch.
The Best Memorial
Seven hundred families lost their primary income source when KNP collapsed. A company with 158 years of history vanished overnight. Northamptonshire's economy lost a significant employer. Those Knights of Old lorries I remember from childhood road trips are gone from Britain's motorways.
That loss is permanent. But it doesn't have to be meaningless.
The best way to extract value from everything that was destroyed when KNP fell is for it to inspire other businesses to secure their systems properly. Every company that implements proper password policies, enables strong MFA, and architects their systems to prevent catastrophic traversability is a small memorial to those 700 lost jobs.
You're on the frontlines whether you like it or not. The attackers don't care about your size, your industry, or how long you've been in business. They care about whether you're an easy target.
Don't be an easy target. Implement the basics properly. Treat security as infrastructure, not an afterthought. And if you're a business leader reading this thinking "we should probably look at this," stop thinking and start doing.
The next company with a 158-year legacy could be yours. Make sure you're not the next cautionary tale.