The cyber-attack on Marks & Spencer will lead to an estimated £300 million hit to the company’s profits this year. It now aims to have online shopping at the store back to normal by August, more than three months after IT systems were compromised.
Fans of M&S clothing and food will be relieved after all of the uncertainty. But that level of uncertainty, as well as the huge cost, is surely a sign that big retailers, which millions of people rely on, need to change how they think about – and invest in – cybersecurity.
It has to be an absolute priority. After all, few marketing strategies or HR initiatives can save a company £300 million in just six weeks. But perhaps a more sophisticated cybersecurity department could have done just that.
To be fair, M&S faced a relatively rare, high-impact ordeal. Most cyber-attacks of this nature don’t affect customers so directly, and much of the recovery typically happens behind the scenes.
But M&S shoppers saw online orders collapse, contactless payments fail and refunds, gift cards and loyalty points not functioning. Disruption in stock-management and warehousing led to empty shelves and food waste.
On June 27, M&S issued a public apology and a £5 digital gift card to affected customers. But research suggests that the most important element of keeping customers onside is the quality of the recovery process, and whether normal service is eventually resumed.
To get back to normal service, it is possible that a ransom was paid to the cyber attackers, but M&S has refused to confirm or deny this. (One survey found that many organisations hit by cyber attacks agreed to pay a ransom – and then suffered a subsequent breach, often from the very same culprits.)
But even when normal service returns, when hackers steal customer data, as they did with M&S, research suggests that this information is often reused by criminals in identity theft and phishing. A study even found that victims of data breaches are more likely to have mortgage applications denied.
From what we know about the breach at M&S, it seems that the cyber-attackers simply used a phishing technique to get the support desk of a third-party contractor to reset the password of an admin-level account. That said, although in this case the main vulnerability was human, the lesson to be learnt here is that sometimes just one vulnerability can shake the whole system to its core.
This is why business owners need to think of cybersecurity not just as a tedious and inconvenient IT issue, but as a core function of the business. Otherwise, as the M&S case illustrates, it is simply not possible for the rest of the corporate structure to operate.
Testing times
So cybersecurity targets must be incorporated into every department to ensure collective defence. And organisations also need to stress-test the different aspects of their systems.
That could be checking on human responses, but it should also include technology (like a vulnerability in the web server), physical barriers (a poorly secured server room door) and HR procedures (failure to revoke ex-employee access).
Thapana_Studio/Shutterstock
These lines of defence have to be stress-tested regularly and from multiple angles, rather than being considered an annual checkbox activity for compliance.
Scenario-based tests – essentially a cyber fire-drill — such as internal threat simulations and response exercises, can provide useful insights into an organisation’s readiness to detect, respond to and recover from cyber-attacks.
It’s also important that organisations learn to communicate clearly once a breach occurs. Research into responses to data breaches suggests that any backlash is sharper when the company seems to be trying to hide the breach, which may later be publicised by the criminals instead.
Consumers should also remember that they are not powerless. We may not be able to prevent a data breach, but all of us can help to stop attackers from infiltrating our online worlds by something as simple as not re-using the same passwords.
By remaining sceptical, we can prevent attackers from using the information they stole to phish us later. And by thinking carefully about what personal data we share with companies, we can reduce the impact of future breaches.
