Irina Sokolovskaya - stock.adobe
M&S one year on: turning anticipation into secure by design
The cyber attack on M&S last year marked a turning point for resilience in the retail sector. One year on, knowing how to avoid the next incident is no longer the priority and being ready for when it happens is key.
The cyber attack on M&S last year marked a turning point for resilience in the retail sector. One year on, knowing how to avoid the next incident is no longer the priority and being ready for when it happens is key.
Retail continues to be targeted at pace, and for good reason. The sector holds vast volumes of high-value customer data, operates across complex and often opaque supply chains, and has a near-zero tolerance for downtime. In an industry where customer experience is everything, cyber incidents are no longer just technical disruptions – but material business events that can define customer and stakeholder trust.
The new digital reality for retailers is no longer whether they are attacked, but how prepared they are to respond and return to business-as-usual operations as quickly as possible; to survive and thrive.
Third-party risk is now the frontline
From logistics providers to payment platforms and SaaS vendors, modern retail depends on a web of third-party relationships. Retailers are ecosystems of interconnectedness that has become a critical vulnerability.
A single compromised supplier can provide attackers with the foothold they need further up the supply chain. In many cases, it’s not the retailer’s own defences that fail, but those of a partner enjoying data sharing access but with less mature cyber controls. The fallout of the M&S attack hit sales and profits heavily, which stands as a stark reminder for any sector that security posture is only as strong as your weakest link.
This is where many organisations still fall short. Supplier assurance is often treated as a compliance exercise, focused on periodic questionnaires and tick-box reviews, rather than a continuous, risk-based process. But attackers don’t operate on annual cycles. They exploit gaps in real time.
Retailers must move towards ongoing visibility across their supply chain, understanding not just who their partners are, but how they access systems, what data they handle, and where the real points of exposure lie.
The extended risk to customers
One of the most persistent misconceptions following a cyber incident is that the risk ends when the breach is contained but, in reality, their problems have only just begun. The long road to recovery for retail can cost millions.
And attackers rarely stop at initial access, but reuse stolen data, sell it on the dark web, and leverage it to launch highly targeted phishing and social engineering campaigns. Even seemingly low-risk information, such as names, email addresses and phone numbers can be enough to target customers with convincing scams.
This shifts the responsibility for retailers – it is no longer sufficient to simply advise customers to “stay vigilant.” Post-breach, organisations have an extended duty of care. This includes monitoring for downstream threats, communicating clearly and proactively helping customers identify and avoid scams that may arise from the incident. In an environment where trust is fragile, how a retailer supports its customers after a breach can matter just as much as how it prevents one.
From awareness to secure by design
If the past year has shown anything, it’s that awareness alone is not enough. The industry has spent years talking about cyber risk, now it must embed security into the fabric of how retail businesses are designed and operated.
That starts with the fundamentals that are most often exploited: identity security, access controls, phishing resistance, help desk processes, and full visibility across both cloud and on-premises environments. These are not new challenges, but they’re still a consistent target for a reason - because they are often inconsistently implemented. The introduction of AI to streamline operational processes has opened up new attack vectors that need to be understood and mitigated.
Beyond that, organisations need a clear understanding of their most critical data and services. Where is sensitive information stored? Who can access it? What would the operational and customer impact be if it were exposed or unavailable?
Crucially, resilience must be built over time and in depth. Every incident, near miss, or attempted intrusion should strengthen defences by feeding into better detection, faster response and more effective prevention. Security is not a fixed state; it is a continuous process of learning and adaptation.
And preparation cannot be theoretical; retailers must simulate incidents, test response plans, run exercises, and verify that backups actually work, to build the essential muscle memory within teams. Being ready for how you respond is often the difference between weeks and months of recovery time.
A cultural shift at the top
Technology alone will not solve this challenge but real progress requires a shift in accountability and culture.
Training employees to recognise phishing attempts and follow best practices is essential, but it is not sufficient. Cyber readiness must be owned at the highest levels of the organisation.
If cyber risk is business risk, then it should be treated with the same rigour as financial performance. Boards should be measured not just on growth and profitability, but on their preparedness to withstand and respond to cyber incidents. Regulators are increasingly placing the responsibility for cyber incidents on CEOs and boardrooms. This means leaders need to ask more challenging questions, demand clearer visibility and ensure that cyber resilience is embedded into strategic decision-making.
Read more about retail technology
- A year on from the Marks & Spencer cyber attack, we look back at the incident, consider the lessons learned and ask if the retail sector is any more secure today.
- Dave’s Hot Chicken provides rare ‘greenfield’ tech development opportunity for Azzurri Group, says tech director Jim Hingston, amid rumours of an imminent sale of the US-themed food chain.
- Some 90% of retailers planning to boost spending on artificial intelligence to optimise e-commerce operations, as new research identifies different AI shopper personas.
Redesigning retail for disruption
One year on from the M&S cyber attack, the lesson is to rethink how retail organisations operate in an environment where disruption is inevitable. The future of cyber security lies in anticipation, where businesses are building secure-by-design operations that assume compromise, minimise impact, and recover quickly without losing customer trust.
The retailers that succeed will be those that can take a hit and keep trading, keep communicating, and keep protecting their customers without missing a beat.
Chris Brown is senior vice president and UK and Ireland market leader at NCC Group.
