Shoppers at an &S supermarket in London. Image by Tim Sandle.
The long-established British clothes and grocery retailer Marks & Spencer’s (M&S) has faced a severe cyber incident that took down key internal systems, including payment platforms, online ordering, and its app.The disruption forced the retailer to pause all online sales and refund thousands of customers, while empty shelves and distribution challenges have hit stores nationwide.
The financial impact has been significant, with M&S losing millions of pounds each day and nearly £700 million wiped off its market value. The incident has beenlinked to the hacking collective Scattered Spider.
This unprecedented disruption not only threatens M&S’s reputation as a reliable high street stalwart but also serves as a wake-up call for businesses across sectors to reassess their cybersecurity readiness.
What can businesses learn from the recent cyberattack that has brought Marks & Spencer to a standstill?
Ian Oswell, Business Development Director at FLR Spectron has explained to Digital Journal about seven essential lessons that can be drawn from the incident. These lessons can help organisations strengthen their cybersecurity defences.
Oswell explains: “The attack took out major internal systems, from payment platforms to online ordering and the M&S app, forcing the company to refund all customers who made purchases during the breach. This clearly flags that the business was not ready for such a sophisticated cyber incident.”
“The M&S attack took out major internal systems, forcing refunds and highlighting a lack of preparedness,” Oswell adds further. “Security should never be treated as an optional extra but as an integral part of business infrastructure. With AI-driven threats increasing, no organisation can protect against every risk, but a clear plan and trained users can limit damage if the worst happens.”
M&S cyberattack sparks 7 critical cybersecurity lessons
Oswell says the fallout from this incident offers important lessons, not only for M&S but for businesses across all sectors.
Cybersecurity Must be a Board-Level Priority
“This attack has shown that no business, no matter how established, is immune. Cybersecurity must be a standing item at board meetings, not just an IT concern. Data breaches and cyberattacks are inevitable, so proactive security measures are essential for every organisation, not just large corporations. Boards must ensure they understand the risks and invest accordingly,” says Oswell.
Hybrid Working Will Increase Cyber Vulnerabilities
“The shift to hybrid and remote working has expanded attack surfaces, making companies more susceptible to cyber threats. This incident brings those concerns sharply into focus. Businesses need to adapt their security frameworks to address the risks that come with flexible working models,” Oswell adds.
Employee Training is Key
“Human error is often the initial entry point for cybercriminals, whether through phishing or other means. Regular, practical training for all staff is critical to reduce the risk of successful attacks,” Oswell explains.
Supply Chain Security is Essential
“Your cybersecurity is only as strong as your weakest supplier. Ensuring third-party vendors adhere to stringent security standards is a vital part of any robust policy. Supply chain vulnerabilities can easily become entry points for attackers,” Oswell warns.
Regularly Prepare and Test Incident Response Plans
“Having recovery plans like Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) is important, but it’s not enough to just have them documented. These plans need to be regularly reviewed and tested to make sure they work in a real crisis. The M&S attack is a clear reminder that being prepared in advance can make all the difference when an incident happens,” Oswell clarifies.
Invest in Essential Cybersecurity Technologies
“It’s vital that businesses put in place strong technical protections like multi-factor authentication, encryption, and secure access controls. These tools act as the first line of defence against cyberattacks. Without them, organisations leave themselves open to avoidable risks. Investing in these technologies is not optional – it’s essential to protect your business and customers,” recommends Oswell.
Prepare for the Inevitable and Invest in Cyber Insurance
“It’s impossible to protect a business against every threat, especially as AI-driven attacks become more sophisticated. With a clear action plan and well-trained users, you can limit the damage if the worst happens. Cyber insurance won’t stop an attack, but it can help mitigate the financial impact, covering costs like forensic investigations and legal fees,” Oswell concludes.
