What SMEs can learn from the M&S cyberattack

As we all know, Marks & Spencer (M&S) has fallen victim to a serious cyberattack. The breach has caused major disruption to their online operations, exposed sensitive customer data, and is expected to result in hundreds of millions in financial losses. 

While M&S is a large enterprise, the tactics used by cybercriminals and the scale of the damage offer important lessons for smaller businesses. SMEs may not have the same budget or security infrastructure, but they can and should adopt key principles to reduce risk and improve resilience. 

Here’s what SMEs can take away from the M&S breach: 

People are a common target

Initial access to M&S systems was reportedly gained through social engineering, where attackers impersonated IT staff to manipulate internal helpdesk workers into resetting passwords and removing Multi Factor Authentication. 

What this means for SMEs:
Cyber security isn’t just about firewalls and antivirus software – it starts with people. Regular training is vital. Make sure staff know how to spot suspicious requests, verify identities, and report concerns quickly. 

Third parties can be a hidden risk

The attack is believed to have started via a compromised third-party account – a reminder that external suppliers and partners can pose risks if they’re not properly managed. 

What this means for SMEs:
Always assess the security practices of anyone who has access to your systems or data. Clarify their responsibilities and ensure they are aware of, and comply with, your security processes. 

Downtime can be devastating

M&S had to pause online orders and revert to manual operations, which has led to missed sales, stock issues, operational backlogs and many unhappy customers. 

What this means for SMEs:
Could your business keep running if key systems went offline? Build a business continuity plan. Test it. Even simple measures, like offline alternatives, could help minimise disruption. 

Customer data must be protected

Hackers accessed customer names, contact information and order histories, which has not only caused distress but also opened the door to further fraud and legal issues. 

What this means for SMEs:
Take data protection seriously. Make sure customer data is stored securely, and only accessible by those who need it. Review your policies and stay compliant with data protection regulations. 

Cyber security is a business essential – not a ‘nice to have’

Despite previous investment, M&S’s defences were still breached, proving that cyber security isn’t a one-off project, but an ongoing commitment. 

What this means for SMEs:
Even if you’re small, you’re still a target. Cyberattacks are often automated and indiscriminate. Carry out regular assessments, patch software promptly, and work with a trusted IT provider, such as Net Primates, to improve your defences. 

Clear communication builds trust

To their credit, M&S were transparent with customers about the breach and issued updates as the situation unfolded. 

What this means for SMEs:
If you suffer a breach, hiding it won’t help. Communicate quickly and clearly with those affected. Reassure customers with the steps you’re taking and explain what they should do next. 

Breaches come with a price – financial and legal

M&S is now facing not only operational losses but legal action from affected customers. The reputational damage may take even longer to repair. 

What this means for SMEs:
The cost of recovery can be enormous, even for smaller businesses. Invest in prevention where possible, and consider cyber insurance to help reduce the financial impact if something does go wrong. 

Final thoughts 

The M&S cyberattack highlights how companies can be brought to a standstill by a well-executed attack. It demonstrates how prevention, preparation, and people all play vital roles in the cyber security process, and that all aspects need to be regularly reviewed. 

If you’re not sure where to start, we can assist. Whether it’s training your team, reviewing your backup and recovery plans, or carrying out a Cyber Security Risk Assessment, we’re here to support you in building a safer, more secure business.