In an increasingly interconnected world, cyber security incidents can cause significant disruption, extending far beyond the initial breach. The recent cyber attack on a prominent multinational retailer, Marks & Spencer (M&S), serves as a timely reminder of the profound impact these events can have on business operations and customer trust. While M&S’s Australian operations were not the primary target, the incident’s effects have resonated globally, highlighting universal vulnerabilities and the critical need for robust cyber defence strategies.
The Attack Unveiled
Reports indicate that the M&S incident was a sophisticated ransomware attack, initiated through what the retailer described as “human error” and a compromised third-party supplier. This entry point underscores a common tactic employed by cyber criminals: exploiting the weakest link in a security chain, often involving individuals or external partners with access to an organisation’s systems. The attack reportedly involved social engineering tactics, where hackers deceived IT personnel into resetting passwords to gain unauthorised access.
A hacking collective known as DragonForce has claimed responsibility for the attack, operating an affiliate cyber crime service that provides malicious software for such operations. Another group, Scattered Spider, has also been linked to the incident. This highlights the organised and often complex nature of contemporary cyber threats, where various threat actors may collaborate or leverage shared tools.
Consequences for Operations and Customers
The immediate aftermath of the cyber attack saw M&S halting online orders, which led to significant disruption across its digital platforms, including issues with contactless payments and “Click & Collect” services. This operational paralysis had tangible consequences, with some M&S stores reportedly experiencing empty shelves due to supply chain disruptions and staff resorting to manual processes.
The financial toll is also substantial, with estimates suggesting the incident could cost the company around £300 million. The disruption to online sales and the associated loss of revenue underscore how quickly a cyber incident can cripple commercial activities and impact profitability. The recovery process for M&S is anticipated to be lengthy, with online operations not expected to fully resume until July. This extended recovery period further illustrates the long-term repercussions of such attacks.
Data at Risk
While M&S has reassured customers that no usable card or payment details, or account passwords, were compromised, personal customer data was indeed stolen. This information could include names, email addresses, postal addresses, dates of birth, household information, and online order histories. Although payment information was not accessed, the theft of personal data still poses a risk of identity fraud and further targeted phishing attempts for affected customers. M&S is taking steps to mitigate this by prompting password resets and advising customers to be wary of suspicious communications.
Essential Lessons for Businesses
The M&S cyber attack offers invaluable lessons for organisations of all sizes, reinforcing the importance of proactive cyber security measures:
- Most companies underestimate the impact of a cyber attack and hence underinvest in protections. The M&S incident, with its estimated £300 million impact on operating profit, serves as a stark example of how costly such an oversight can be. This figure, representing approximately one-third of their projected profit for the year, highlights that the initial investment in prevention is often a fraction of the cost of recovery and reputational damage. A common rule of thumb to gauge whether an organisation might be vulnerable and underinvested is to consider the percentage of their total costs dedicated to cyber security. While there isn’t a single universal benchmark, various reports suggest an ideal range for cyber security spending as a percentage of an organisation’s IT budget. For instance, the overall average across various sectors is around 9.9% of IT budgets. However, when looking at total revenue, some sources suggest that dedicating between 1% to 2% of total revenue to cyber security is typical for businesses with smaller IT footprints, especially for those holding sensitive data. Industries like retail are noted to spend less on cyber security compared to sectors such as financial services or technology. If your organisation is spending significantly less than 2% of its total revenue on cyber security, it may indicate an underinvestment that could leave it exposed to substantial risks. It’s an important metric to consider when evaluating your cyber resilience.
- Prioritise Identity and Access Management: The fact that the attackers gained access through compromised credentials highlights the critical need for robust authentication mechanisms. Implementing multi-factor authentication (MFA) across all systems, enforcing strong and unique password policies, and regularly auditing user access privileges are fundamental steps to enhance security.
- Enhance Employee Awareness and Training: Social engineering remains a highly effective attack vector. Comprehensive and ongoing cyber security training for all employees, including management, is crucial. This training should equip staff to recognise and appropriately respond to phishing emails, suspicious links, and other social engineering tactics. Simulated cyber drills can further reinforce learning and test preparedness.
- Strengthen Third-Party Risk Management: Supply chain vulnerabilities are a growing concern. Organisations must meticulously vet the cyber security practices of their third-party suppliers and partners, ensuring that their security posture aligns with internal standards.
- Adopt Proactive Security Measures: Relying solely on traditional antivirus solutions may not be sufficient against modern, sophisticated threats. A proactive approach that incorporates advanced threat detection, “security-by-design” principles in system development, and application whitelisting can significantly bolster defence capabilities.
- Develop a Comprehensive Incident Response Plan: The M&S incident demonstrates that even well-resourced organisations can be targeted. Having a well-defined and regularly tested incident response plan is vital to minimise damage, ensure swift containment, and facilitate an efficient recovery. This plan should include clear communication strategies for stakeholders and customers.
In the face of an evolving cyber threat landscape, preparedness and continuous improvement are paramount. Cyber security is not merely an IT issue; it is a fundamental business imperative.
Partner with Vertex for Enhanced Cyber Resilience
At Vertex Cyber Security, we understand the complexities and challenges organisations face in protecting their digital assets. Our mission is to provide relevant, actionable, and industry-leading cyber security advice, products, and services to businesses, helping them build robust defences against advanced cyber threats. From comprehensive penetration testing and cyber security audits to tailored training programmes and managed security solutions, we work with you to enhance your organisation’s cyber security posture.
Do not wait for an incident to occur. Consider taking proactive steps to safeguard your business. To learn more about how Vertex can help your organisation achieve greater cyber resilience, please contact us or visit our website for further information.
For further reading on this issue click here.
