As April’s cyber attack continues to disrupt operations at M&S, what can UK businesses learn from the event, and what action should they take to secure themselves?

As M&S reveals that personal customer data was stolen in the cyber attack, 3 weeks after it started the retailer is still struggling to get services back to normal, with online orders suspended and in-store systems, such as Click & Collect disabled.

Business continuity issues are costing the retailer £43m a week in lost sales, according to analysis from Bank of America Global Research. The reputational damage from the data breach is yet to be seen for the previously trusted brand as the situation continues to play out. To date it’s unclear whether a ransom has been paid, although payment is no guarantee that customer data will not be sold on to other cyber criminals.

Despite the ongoing difficulties, the long-established and successful retail brand is likely to weather the storm. But what of SMEs who have neither the inhouse technical expertise nor the capital to survive this type of attack? These are our key takeaways so far from the M&S cyber attack:

• Prioritisation of Cybersecurity

Cyber hygiene practices need to be built into the foundations of a business and not just viewed as a box-ticking exercise. Cyber Essentials Plus or ISO 27001 may not in themselves stop a cyber-attack, but preparation for accreditation builds a solid foundation for protecting a business against the most common cyber-attacks. If a breach is not a matter of ‘if’ but ‘when’, there needs to be investment in resilience across the entirety of operations, including supply chains.

• Strengthening of IT Protocols

The NCSC has warned that attackers are impersonating IT help desks to gain access to systems, so businesses need to review their authentication processes, especially for senior employees, in conjunction with tightening access controls.

• Social Engineering Awareness & Training + Reporting

Robust firewalls can be installed and timely security updates managed, but your first and last line of defence are your users, and they need to be thoroughly engaged in protecting your business. Train, test and keep testing employees’ awareness of the potential risks of social engineering, including what action to take and where to report possible threats.

Also encourage employees to report potential mistakes, such as clicking on an unknown link or downloading a suspicious file. Mistakes happen and the sooner attacks can be contained, the better. If your business operates in a space where the repercussion of mistakes is feared, employees are far less likely to report a potential issue.

• Board Members / Senior Management Buy-In

Cybersecurity needs to move from being an IT function to a boardroom priority. Businesses need to recognise that cybersecurity is not just a compliance matter, no longer is it just a ‘nice to have’, but essential for business sustainability. According to the latest Breaches Survey, just under 27% of businesses have board members taking explicit responsibility for cybersecurity as part of their job.

• Mandating Cybersecurity

As M&S admits that customer data was taken in the cyber attack, there is heightened concern about data privacy and the need for robust data protection measures. GDPR is a legal obligation, but if data privacy laws can’t be guaranteed without adequate cyber security, should businesses (of a certain size?) be mandated to hold a cybersecurity accreditation?

• Business Continuity Planning:

Since the cyber incident at M&S, it has been suggested that the company lacked adequate business continuity plans, leading to calls for better preparedness and resilience of UK businesses:

Invest in Incident Response and don’t wait for a breach to test your resilience. Immediate detection and containment are essential, as are a tested crisis communication and technical response plan.

Implement a proven Backup Strategy, to include multiple copies of your data with one copy offline / offsite. Without clean, accessible back-ups, recovery is delayed, adding to financial and reputation damage. Undertake regular restore tests to see how quickly you can restore your data under real conditions.

• Government and Industry Collaboration:

Today’s cyber threat landscape should provoke greater collaboration between businesses, law enforcement, and government agencies like the NCSC and NCA to address cyber threats.

In short…

No size or type of business is immune to a cyber attack and there’s no magic bullet to 100% safeguard your business against cyber attacks because we’re all human, we’re busy, and we like to click on stuff…

At Comprendo we can, however, help you plug the gaps, like timely software updates, password management, fixing firewall vulnerabilities and providing simulated phishing training and awareness for your staff.

For advice on any elements of your cybersecurity, book a free (no obligation / no judgement) security audit of your critical systems, and we’ll see how we can enhance your cyber defences.

Only time will reveal the true extent of the cyber-attack on M&S. Hopefully the retailer will bounce back bigger and stronger. Has the evolving cyber threat landscape had an impact on how you view the cybersecurity of your business? Have you taken action yet?

At Comprendo, we provide customer-focused IT services, solutions and support to businesses throughout North and West Yorkshire, Lancashire and beyond, including Leeds, Bradford, Harrogate, York, Preston and Manchester. Looking to outsource your IT or review your cyber security? We look forward to hearing from you.