The recent spate of cyber attacks targeting major UK retailers, including Marks & Spencer, Co-op, and Harrods, has sent shockwaves through the business community. These headlines may focus on household names, but the lessons are just as relevant for smaller, owner-managed businesses.

Here’s what’s happened, why it matters, and what practical steps you can take to protect your business…

What Happened?

Over the past few weeks, several high-profile UK retailers have fallen victim to significant cyber incidents:

• Marks & Spencer experienced a ransomware attack that disrupted online orders, contactless payments, and Click & Collect services. The attack, attributed to the DragonForce ransomware group (linked to the notorious Scattered Spider), led to operational chaos, stock shortages, removal of online orders from it’s website for several weeks and even a temporary halt to recruitment.
• Co-op faced a separate breach affecting back-office systems and call centre services. Sensitive customer data was reportedly accessed, stores became increasingly understocked and staff were given strict new protocols for remote work and communications.
• Harrods managed to thwart an attempted network intrusion but still had to restrict internet access and engage specialist investigators.

These incidents have not only caused operational disruption and financial losses, with M&S alone seeing its share price drop by over 6%, wiping nearly £700 million off its market value, but have also highlighted vulnerabilities that exist across the entire retail sector.

How did the attacks happen?

While technical details are still emerging, the National Cyber Security Centre (NCSC) has indicated that social engineering played a key role in several of these attacks. 

Rather than relying solely on sophisticated hacking tools, cyber criminals impersonated IT support staff or employees locked out of their accounts, tricking helpdesks into handing over login credentials and security codes. This method is alarmingly simple but highly effective, exploiting human trust rather than technical loopholes.

As the NCSC puts it: ‘People, not just passwords, are your first line of defence’.

Why should small businesses care?

It’s tempting to think that only large organisations are targets, but that’s simply not the case.

Smaller businesses, usually lacking dedicated cyber security teams or reluctant to invest the time or expense in having robust security or training, can be seen as easier prey. Recent statistics show that 39% of UK businesses and 26% of charities reported a cyber security breach or attack in the past year.

The tactics used in these recent attacks do not discriminate by business size. If anything, the absence of robust processes and regular staff training in smaller firms can make them more vulnerable.

Practical steps to protect your business

The good news is that there are straightforward, affordable measures you can take to improve the cyber resilience of your business. The NCSC’s Small Business Guide highlights five key steps:

1. Review Password Reset Processes

• Who is authorised to reset passwords?
• Are there secondary checks to verify identity, especially for senior staff with access to sensitive data?
• Consider using codewords or multi-step verification for helpdesk requests.

2. Implement Multi-Factor Authentication (MFA)

• Require more than just a password to access critical systems. MFA can block most unauthorised access attempts.

3. Monitor for Unusual Logins

• Set up alerts for logins from unexpected locations or at odd times. Investigate any anomalies promptly.

4. Train Staff to Recognise Social Engineering

• Regularly update your team on the latest tactics used by cyber criminals.
• Encourage a culture where staff feel comfortable questioning unusual requests, even if they appear routine.

5. Back Up Your Data and Protect Devices

• Ensure regular, secure backups are in place.
• Keep all devices, including smartphones and tablets, updated with the latest security patches.

For more detailed, step-by-step advice, the NCSC offers a free Small Business Guide on their website.

Cyber security: A Business-Wide Responsibility

The recent attacks reinforce the view that cyber security is not just an IT issue but is a business-wide responsibility. Organised criminals are increasingly targeting the weakest link in the chain, which is our people, and usually their desire to be helpful. Building a culture of awareness, clear communication, and healthy scepticism is crucial.

As the NCSC warns, these incidents are a ‘wake-up call’ for all organisations, large and small. With cybercrime on the rise and attacks becoming more frequent, now is the time to ask: could this happen to us?

We’d strongly recommend that every business owner take some time in the very short term to review their security arrangements, speak to their IT support to gain their up to date advice around the subject and to refresh their training procedures and processes around cyber security.

It could be the best investment you make into your business this year.