By Izak Coetzee, Business Operations Director, Assist Security Group
The M&S Reality Check
The M&S cyber-attack should concern all business owners. The damage wasn’t just the estimated £300 million cost—it was months of chaos that affected their entire operation. It is reported the attack was done through social engineering, through a third party that had access to M&S systems
“If it can happen to M&S, with their resources and expertise, it can happen to anyone,” says Jim McFedries, Chief Business Development Officer at Assist Security Group (ASG). “The question isn’t whether you’ll face a cyber threat – it’s whether you’ll be ready for it. When assessing and managing risk for a business, IT protection goes hand in hand with physical security. “
For most businesses, a successful cyber-attack doesn’t just mean lost data or temporary downtime. It could mean complete disruption to operations, internal & external communications, payment processing and restricted or no access to critical business information – everything stops until systems are restored.
User and Device Management
In addition to effective onboarding procedures to provide a pleasant new hire ‘welcome’ and ensure they are up and running with everything they need in the shortest possible time, it is equally important to have effective offboarding procedures for leavers, to ensure all relevant physical and systems access is stopped at the right time, and all business assets are returned and processed as needed.
Good Device Management processes and tools that can auto-capture important asset information (make, model, serial number, mobile device IMEI numbers etc) and provide the ability to enforce best practice policies, i.e. minimum 6-digit passcodes (mobile devices), complex passwords & regular password updates, multi-factor authentication (MFA), regular software updates, and also provide the ability to lock and remote wipe business data if needed, goes hand in hand with this.
All staff should know the escalation and reporting procedures in case a device is lost or stolen. There were 78,000 phone thefts in England/Wales to March 2024 (150% increase), with 60,000 in London alone. A stolen device reported the next morning gives criminals hours of uncontrolled access time.
Role-Based Access
Segregation of data and role-based access is essential (for example separate SharePoint groups for each business function/team), with access restricted to only the specific individuals that need access to each data storage point, along with the correct access level (edit, view only etc). This ensures if a user account is compromised, the impact is limited to the applications and data they have access to, not the entire business.
Automated monitoring and detection tools, although an additional cost, can ‘learn’ what ‘normal’ baseline behaviour looks like across the business, in order to detect and escalate abnormal behaviours and activities, for example if an user account starts downloading a large volume of files, which the system determines is abnormal behaviour for that user, it can take pre-determined precautionary actions like forcing the user to re-authenticate via MFA and escalate for further (human) investigation.
Company IT Admin(s) should also have their ‘Admin’ user account separate from their normal day to day user account, to ensure if it is compromised in any way, the attacker doesn’t gain full Admin access.
Third party Suppliers and business partners
Every supplier, consultant and business partner you work with could potentially be an access route for criminals. The M&S attack is a good example of attackers going after their main target indirectly via a third party.
The same (or even more restrictive) security standards applied to employees should also apply to third parties and anyone with access to company systems, including access management and incident reporting.
Software Application management
Staff are often tempted to download new apps and tools they’ve seen advertised or heard of through a friend of colleague, without thinking about security and often exposing sensitive business data to external platforms that could represent a real threat.
An example of this is AI assistants and note takers, where the application request access to the user’s business data (Contacts, Calendar, OneDrive/SharePoint), with a recording of the business meeting, along with transcript, meeting summary and actions stored on the application developer’s platform, with the employee not understanding the risks around this.
It is therefore essential that all staff clearly understand which applications are approved for business use, as well as the process for requesting approval for a new application, system or tool where existing solutions don’t meet their requirements.
Cyber Security Awareness Training
Cyber security threats change constantly, and cyber criminals understand targeting people will most likely get a quicker result than going after technical vulnerabilities.
There are so many avenues cyber criminals use to target people, with real life examples we’ve seen recently:
- Phishing emails, appearing to come internally from a C-level Executive or Director with an urgent task that requires immediate action.
- Phishing text messages, appearing to come from a courier company noting a package couldn’t be delivered, providing a link to re-arrange the delivery.
- QR code in a public area – for example to charge an electric vehicle, however a fake QR code has been placed over the original/genuine one, directing to a malicious website.
The most successful approach treats cybersecurity training as life skills rather than work requirements. Password protocols, multi-factor authentication, and suspicious email and link recognition benefit employees personally as much as they protect the business. When staff understand these skills protect their own data and finances, engagement improves dramatically.
24/7/365 Monitoring and Detection
Cyber Attacks targeting your business and/or those of your business partners and suppliers are happening every day, with no way to prevent it – the important thing is how quickly you can detect threats and deal with them before they cause serious damage.
24/7/365 Continuous automated monitoring is well worth the investment, with policies and processes set up in the background to auto-manage and escalate incidents (for human review/intervention) as needed.
Data Security tools
Data Security tools like Sensitivity labels can be used to auto-encrypt sensitive data (emails and documents) and restrict to a specific audience and also add restrictions to onwards sharing, printing etc, for example: if a staff member applies an ‘Internal Only’ Sensitivity label on an email, it encrypts the content and restricts sharing with an external party.
Other data Security tools can auto-label data based on type (for example personal, financial, medical) and flag or take pre-determined actions when an abnormal event is detected, for example: an email with a large volume of passport numbers being sent externally. There are also data tools to manage DLP (data loss prevention), data retention and deletion, which can be a combination of labels and policies defined by the organisation.
The recently reported incident of the Afghanistan military database at the MoD that was distributed in error is a good example of what can go wrong when appropriate provisions are not in place.
The Cost of Doing Nothing
Business owners too often resist cybersecurity investment because they see it as expensive spend against something less likely to happen. This ignores a basic reality: everything in modern business depends on digital systems working.
Consider what happens when your systems fail. You can’t communicate with clients, process payments, access operational procedures, or coordinate staff. For service businesses, this means a complete operational shutdown until systems are restored.
The investment in proper cybersecurity tools and processes can be significant compared to traditional IT spend, until you think about the alternative: potentially complete business paralysis, client data exposure, and reputational damage.
Building Practical Defences
Companies that are serious about cyber resilience need comprehensive but practical approaches:
Foundation Requirements:
– MFA and complex passwords enforced across all business systems
– Data segregation and role-based access control that limits exposure
– Comprehensive device and user management, including ability for remote wiping
– Clear policies for approved applications and external services
– Cyber security awareness training for everyone with access to company systems
Enhanced Protection:
– 24/7/365 continuous automated monitoring
– Automated threat detection, response and escalation (for human review)
– Data Security Tools for automated data labelling, DLP, data retention & deletion
Supplier Management:
– Security requirements for all external parties with system access
– Regular audits of supplier cybersecurity practices
– Immediate incident reporting obligations in all contracts
Competitive Reality
We need to regard cybersecurity as more than about managing risk – it’s also become a business advantage. Clients increasingly want to work with suppliers who can prove they have proper cyber defences, because it helps to reduce any threat to their own business. They see it as a sign of competent, compliant operations.
Cyber certifications are becoming standard requirements in tender processes. Companies that can’t demonstrate proper cyber controls are often excluded from consideration.
This trend accelerates as high-profile breaches in the media increase awareness of cyber risks. Businesses want partners who understand that protecting client interests means protecting their own systems and data that enable service delivery.
Making the Investment Decision
Business leaders have a choice: pay for cybersecurity now or pay much more for incident response and recovery later. The first option costs money but keeps your business running and reputation intact. The second costs more money while damaging both.
Cyber criminals don’t care if you’re a small business or a multinational – small and medium businesses are often attractive targets because cyber criminals expect them to have weaker defences compared to big companies.
The choice is simple: act now while you control the timing and scope of investment, or react later when criminals control the timeline and stakes.
Assist Security Group (ASG) provides integrated security and risk management services, combining physical protection with intelligence-led solutions and comprehensive cyber defences. For more information about ASG’s approach to modern business security challenges, contact: sales@assistsecurity.co.uk
