Cyber Chaos: Could Your Business Survive an M&S-Style Hack?
The recent cyberattack on retail giant Marks & Spencer should serve as a deafening alarm bell to businesses of all sizes. If a company with M&S’s resources and infrastructure can be compromised, what does that mean for the average small or medium-sized enterprise?
Here's how businesses can learn from the M&S breach—and crucial steps to defend themselves in an era where cyber threats are more dangerous and costly than ever.
What Happened to M&S?
In early 2025, Marks & Spencer was hit by a devastating cyberattack, reportedly orchestrated by the ransomware gang Scattered Spider. The breach caused major system outages, disrupted online orders, and is projected to cost the retailer nearly £300 million in lost profits and reputational damage.
The attack targeted third-party suppliers and infiltrated M&S systems through exploited security gaps—an all-too-common weak link in modern supply chains.
What Can Businesses Learn from the M&S Hack?
1. Supply Chain Security Is Non-Negotiable
Many breaches happen indirectly through third-party vendors. Businesses must vet and monitor suppliers’ cybersecurity policies and require compliance with strict security standards.
2. No Business Is Too Big—or Too Small
Thinking your company is "too small to target" is a myth. Hackers frequently target SMEs because they tend to have weaker defenses. If you store data or operate online, you’re a potential target.
Related: Marks & Spencer Cyberattack: £300 Million Profit Hit
Related: Cyber Attacks Sweep Retail Sector: Harrods Among Latest Victims in Coordinated Campaign
How to Protect Your Business from Cyber Attacks
1. Implement Multi-Factor Authentication (MFA)
MFA adds an extra layer of protection, making it much harder for attackers to gain access to systems—even with stolen passwords.
2. Regularly Update Software
Outdated systems are an open invitation for hackers. Ensure all software, plugins, and firmware are regularly updated and patched.
3. Train Your Staff
Employees are often the weakest link. Offer regular cybersecurity training, teaching them how to spot phishing emails, avoid suspicious downloads, and follow security protocols.
4. Backup Data Frequently
Always maintain secure, off-site backups of all critical data. If ransomware hits, you won’t have to pay to recover what’s already safe.
5. Invest in Cyber Insurance
Consider a cyber liability insurance policy. It won’t prevent a breach, but it can help cover financial losses, legal costs, and damage control efforts.
6. Monitor for Unusual Activity
Install intrusion detection systems and use network monitoring tools to catch suspicious behavior before it escalates.
What Should Companies Do After a Cyberattack?
-
Act fast: Isolate infected systems to prevent spread.
-
Notify affected parties: This builds trust and allows them to protect themselves.
-
Report to authorities: Cooperate with cybercrime units and industry watchdogs.
-
Review and improve protocols: Every breach is a chance to learn.
The M&S Warning Shot
The M&S hack is a stark reminder that cybersecurity is not optional—it’s foundational. Every company, from local coffee shops to national chains, must view cybersecurity as a core business priority.
Because in today’s world, it’s not a question of if you’ll be targeted, but when—and how ready you’ll be when the moment comes.
