The recent cyberattacks on M&S, Co-op, and Harrods weren’t just technical breaches, they were wake-up calls for every IT professional responsible for safeguarding digital infrastructure.
These incidents weren’t random acts of digital vandalism; they were well-coordinated, multi-stage operations that exploited the most common vulnerability in any cybersecurity program: the human element
Here are five hard-hitting lessons from these high-profile breaches that every security leader should internalize and act upon, urgently.
CISO of SecurityScorecard.
1. Your people are your biggest vulnerability (and your best defense)
Let’s start with the uncomfortable truth: your users are your perimeter now. You can invest in next-gen firewalls, zero trust architecture, and the best intrusion detection systems on the market, but if an employee gets tricked into resetting a password or clicking a malicious link, none of that matters.
That’s precisely what happened here. These weren’t attacks that required elite technical prowess. The threat group Scattered Spider, known for its skill in social engineering, didn’t need to breach a firewall, they simply needed to manipulate an IT help desk employee into granting access. And it worked.
This is why investing in people must match, if not exceed, your investment in technology. Security awareness training must evolve beyond annual compliance videos. We need simulated phishing tests, real-world attack scenarios, and constant reinforcement.
Your staff needs to know what these attacks look like and how to respond in real time. When trained right, your employees can be your first line of defense. When ignored, they become the attackers’ favorite target.
The lesson? You can patch a server, but you can’t patch human error. Train relentlessly.
2. Third-party risk is not a “them” problem, it’s a “you” problem
One of the most sobering revelations from these breaches is that organizations were hit not because of their own failures, but because of someone else’s. In the case of M&S, attackers gained access via Tata Consultancy Services (TCS), a third-party supplier managing their IT help desk.
This isn’t an isolated incident. In our latest Global Third-Party Breach Report, we found that 35.5% of all breaches now originate from third-party relationships, a 6.5% increase over the previous year. In retail specifically, that number jumps to a staggering 52.4%.
As enterprises become more integrated, attackers no longer need to breach the front door, they simply target a trusted vendor with privileged access. And that’s the crux of the problem: most businesses still treat third-party risk as a contract clause or a once-a-year questionnaire. That’s not enough anymore.
You need real-time visibility into your entire digital ecosystem, suppliers, SaaS platforms, outsourced IT providers, and beyond.
Vet vendors with the same scrutiny you apply to your own infrastructure. Demand evidence of controls, enforce contractual obligations, and monitor continuously. Because if they go down, chances are, you go with them.
3. Business disruption is the new breach
Let’s talk about the actual damage. Yes, data was stolen. Millions of customer records were affected. But for M&S and Co-op, the bigger crisis was operational paralysis.
M&S’s online systems were crippled for weeks. Stores ran out of stock as automated ordering systems failed. Co-op’s funeral services reverted to pen and paper. Grocery shelves went empty. This wasn’t just about cybersecurity, it was about business continuity.
Here’s what IT leaders need to understand: attackers are shifting tactics. Today’s ransomware gangs aren’t just looking to encrypt your files; they’re looking to disrupt your operations so completely that you have no choice but to pay.
In our research, we found that 41.4% of ransomware attacks now start through third parties, and the focus is squarely on operational leverage.
If your business can’t function, your brand suffers, your customers flee, and your revenue evaporates. Downtime is the new data loss. Plan accordingly.
4. You need a plan B, C, and D (and you’d better practice them)
Hope is not a strategy. Too many organizations have an incident response plan that exists in theory but falls apart under pressure. If you don’t rehearse your response, you’re not ready.
The M&S and Co-op breaches exposed a hard truth: once an attacker is inside, recovery is excruciatingly slow if your systems aren’t segmented, your backups aren’t offline, or your teams aren’t coordinated. Ask yourself:
- Can you continue operations if your core systems are compromised?
- Do your backups meet the 3-2-1 rule, and are they immutable?
- Can you communicate with customers and employees securely without tipping off the attacker?
These are not theoretical questions. These are the differences between a few days of disruption and a multimillion-pound catastrophe. Tabletop exercises aren’t optional, they’re your dress rehearsals for the real thing.
5. Transparency is the only way to rebuild trust
When disaster strikes, how you respond publicly matters as much as what you do behind the scenes. Customers today are tech-savvy. If your services are down or your shelves are empty, they know something’s wrong.
Initially, some of the affected companies were tight-lipped. But Co-op CEO Shirine Khoury-Haq took a different approach, she acknowledged the breach, apologized publicly, and owned the impact. That level of transparency, while difficult, is how you start rebuilding trust.
Let’s be clear: customers can forgive a breach. What they won’t forgive is a cover-up. You must communicate clearly, quickly, and honestly. Share what you know, what you’re doing, and what affected individuals should do to protect themselves. If you don’t control the narrative, the attackers, or the media, will.
And remember: regulators are watching. Under GDPR and similar frameworks, delayed or misleading disclosure isn’t just a bad look, it’s a liability.
Final thoughts
Cybersecurity is a team sport and no single organization can outpace today’s threat landscape alone. But by learning from incidents like these, by hardening our people, processes, and partners, we can collectively raise the bar.
Cyber resilience isn’t a static goal, it’s a discipline, and in an era of interconnected risk, it's the only path forward.
We've featured the best secure email provider.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.