When KNP Logistics Group was hit by a ransomware attack in June 2023, the impact went far beyond its IT systems. Despite strong security, detailed plans, and a £1m cyber insurance policy, the company’s operations came to a standstill. 

Former director Paul Abbott shared his experience at last month’s East Midlands Cyber Summit at De Montfort University. He set out how quickly a cyber incident can test leadership, planning, and company culture. 

Here, we outline what happened with KNP, the key lessons for business leaders, and why resilience must stay on every board’s agenda.

Preparing security

KNP invested heavily in cybersecurity – spending six figures annually, employing an internal IT team, and working with a managed service provider to support its ISO framework. Measures included firewalls, auto‑patching, and disaster recovery planning, plus staff training against phishing and social engineering. The Board viewed cybersecurity as being handled and focused on business growth, believing their investment and insurance meant that they were well protected.

The attack

On 15 June 2023, the company’s night shift saw widespread IT failures. Initially thought to be a hardware issue, the problem soon proved much worse. Within hours, operations switched to a manual contingency plan to keep trucks moving. 

Then came the confirmation: KNP had been hit by a ransomware group, which had encrypted systems and backups. A forensic investigation identified the point of entry: a password breach, likely through brute force or a compromised credential. Once attackers gained access to the front-end network, they escalated through various security levels and administrative rights. The attackers then demanded millions.

Immediate response

Activating its cyber insurance gave KNP access to expert first‑response teams for legal guidance, reporting, and negotiation advice. The company also engaged a specialist, which had handled similar cases, but ultimately decided against paying the ransom. Instead, the team focused on recovery and manual operations, processing around 12,000 orders weekly under intense pressure.

Recovery efforts

Over the following weeks, partial systems returned online, but the pace was slow. Manual operations continued for three months, and customers saw little disruption – an extraordinary effort from the KNP workforce. However, one critical gap remained – the financial reporting and covenant reporting systems could not be restored. Without these, lenders were unable to maintain support.

Business closure

Despite the team’s resilience, KNP closed after three months. Banks had been patient but required covenant reports to continue funding. Mr Abbott said that losing the company after maintaining full operations was devastating, especially given how hard employees had worked to keep it alive.

What worked

Manual contingency processes kept operations functioning, proving the team’s training and planning effective in the short term. Cyber insurance provided expert guidance, helping manage communication and legal risks. Staff awareness built through prior training proved essential to earlier threat detection. The decision not to pay the ransom – while costly – was ethically and strategically sound. Above all, the dedication and teamwork of employees sustained operations and preserved customer trust for months.

What failed

The company’s on‑premises infrastructure left backups vulnerable, allowing hackers to destroy recovery routes. Most significantly, disaster recovery plans had never been tested for long outages, and financial system recovery wasn’t prioritised. Finally, the Board lacked detailed cyber awareness and overestimated the protection their spending provided.

Why the business ultimately failed

The ultimate cause of failure was the inability to restore financial reporting systems within the three‑month window allowed by lenders. Operational continuity alone proved insufficient. Without financial transparency and covenant compliance, lender confidence collapsed. KNP’s experience shows that true business resilience depends on linking IT recovery with financial, regulatory, and operational stability.

• This post is part of a series based on content from speakers at the East Midlands Cyber Summit. The Summit was delivered by East Midlands Cyber Security Cluster as part of its CyberGrowth programme.