Most successful ransomware attacks against UK and UAE companies in the last three years did not start with a vulnerability in the firewall or an unpatched server. They started with a phishing email or a phone call to a single employee whose personal information made them an easy target. The attacker knew the employee's name, their job, their reporting line, the names of their children, the dog walker they used, the school the children attended, the colleague they had lunch with on Tuesdays, and the password they had used on a forum in 2014 that had been leaked in a breach. The attack succeeded not because the technology failed, but because the employee was easy to impersonate.
All of that information was freely available online before the attack. The firewall did not protect against it. The endpoint-detection software did not see it. The mandatory cybersecurity training did not remove it. The information sat on LinkedIn, on data-broker sites, in old breach databases, in social-media tagged photographs and in personal-life articles the employee had no involvement in publishing. The defensive move that closes that exposure is not security software. It is data removal — and that is what we do.
How a ransomware attack actually starts
Forensic reports from the past three years of UK and UAE ransomware incidents are remarkably consistent on the initial vector. The attacker spent days or weeks compiling a dossier on a single target employee — typically someone in finance, HR or IT with access credentials that mattered. The dossier came from LinkedIn (job, reporting line, recent activity), from data brokers (home address, family members), from breach databases (passwords reused across personal accounts), from social-media tagged content (children's names, schools, holiday plans), and from search results for the employee's name across years of unrelated press mentions.
Armed with that dossier, the attacker placed a phone call or sent an email that the employee could not distinguish from a legitimate communication. The CEO appeared to call from the right number, used the employee's name correctly, referenced a recent business event accurately, and asked the employee to authorise a transfer or click a link. The employee complied. The breach began. The technical security stack the company had invested in was never tested, because it was never the vector.
What cybersecurity software cannot do
Endpoint-detection-and-response platforms, firewalls, multi-factor authentication, security-awareness training and the rest of the modern cybersecurity stack all defend against attacks that have already crossed the perimeter or are attempting to. None of them removes the personal information about your employees that the attacker uses to plan and execute the social-engineering call in the first place. The CISO can buy every product on the market and the employee's home address, family names and prior passwords will still be sitting on the same data-broker sites, the same LinkedIn over-share, the same breach databases — fully available to the next attacker who decides the company is worth targeting.
Closing that exposure requires a different discipline. Data-broker removal at scale, LinkedIn perimeter audit, breach-database monitoring, social-media privacy hardening, and continuous re-listing monitoring. Most security teams are not set up to do it. Most companies do not realise it is available as a service. It is, and it is the most underrated layer of an enterprise defence-in-depth strategy.
Ready to turn your reputation — and your business — around?
Get a free, confidential audit of how your business appears to customers across Google, review platforms, and AI assistants — and a plain-language plan for what we will fix first.
What we actually do for a company concerned about social-engineering risk
We start with an exposure audit on the company's senior staff and high-risk employees — typically the executive team, the finance and HR leads, the IT operations team, and anyone with access credentials that materially matter. The audit catalogues every piece of personally identifying information about each employee that is publicly available, scored by attacker usefulness. Within the first thirty days, we remove the data-broker exposures, audit and lock down the LinkedIn perimeter, identify breach exposures and trigger credential resets, and scrub the social-media tagged content where consent can be obtained.
We do not replace the cybersecurity stack — we close the gap the cybersecurity stack cannot reach. From month one onward we monitor for re-listings and new exposures, and we maintain a continuous defensive perimeter that the attacker now has to crack before they can even draft the phishing email. The next social-engineering attempt fails not because the technology detected it, but because the attacker could no longer assemble the dossier that makes it convincing.
Employee privacy and social-engineering defence is our expertise
We work with enterprises and mid-market companies across the UK and the UAE on employee privacy and the data-removal layer of cybersecurity defence. The discipline is mature, the playbook is documented, and most of our engagements pay for themselves the first time a phishing or vishing attempt against a covered employee fails because the attacker did not have the personal data they expected to have.
The outcome we deliver is concrete. The employee data the attacker needs is removed from the public web and continuously monitored. The social-engineering vector closes. The cybersecurity stack the company has already invested in becomes more effective because it is now defending a perimeter that the attacker has fewer ways to penetrate. Same firewall. Same MFA. Same training. A different exposure profile, and a ransomware risk that has dropped sharply because the attack stops happening before it starts.
Key takeaways
- Most ransomware attacks now begin with social engineering of a single employee — not with a vulnerability in the firewall or the endpoint.
- The information the attacker uses to impersonate an employee — name, role, family members, schools, prior addresses, leaked passwords — is freely available online before the attack.
- Cybersecurity software defends the perimeter. Employee privacy removal closes the route the attacker uses to get past the perimeter in the first place.
- Data-broker removal at scale is a specialist process — most security teams are not set up to do it, and most companies do not know it is available.
- Outcome we deliver: the personal data the attacker needs to impersonate or compromise an employee is removed from the public web and monitored for re-listings — so the social-engineering attack fails because the attacker can no longer assemble the dossier.
