The recent cyber attack on Marks & Spencer (M&S) made headlines across the UK - and it’s not great news. But I’m not here to scare you. Instead, I want to share five important lessons that any business, no matter the size, can learn from this incident.

What Happened with M&S?

M&S, a beloved UK retailer famous for Colin the Caterpillar and Percy Pigs, suffered a significant cyber attack. This attack reportedly cost them millions and wiped around £700 million off their business value. It’s a big deal.

But here’s my issue: I’ve seen too many IT firms using this as an excuse to push their own services, scaring businesses into buying from them. It’s lazy marketing and unnecessary scaremongering.

Instead, let’s come together and learn from this - support each other and strengthen our cybersecurity, whatever size your business.

The M&S Cyber Attack in Brief

The attack involved a sophisticated group known as Scattered Spider. It’s believed they gained access as early as February, likely through social engineering - tricking someone into handing over credentials. There’s also talk of a third party with access being involved.

Whether you’re a giant corporation with 70,000+ employees or a small 5-person firm, there are lessons here to help you protect your business.

The 5 Lessons You Can Learn

1. Use Phish-Resistant MFA

Cyber criminals primarily target identities to gain system access. Multifactor Authentication (MFA) is essential, but not all MFA is created equal.

Standard MFA (like SMS codes or app tokens) can be intercepted or phished. Instead, aim for phish-resistant MFA - methods that use biometrics or hardware keys. This is the strongest defence for your accounts.

Microsoft 365 supports phish-resistant MFA - if you’re not using it yet, now’s the time to set it up! (Check out my video linked below for a full guide.)

2. Control Admin Access

Only give people the access they need to do their jobs - no more.

Don’t just hand out full admin rights because it’s easier. In Microsoft 365, use Privileged Identity Management (PIM) to control admin privileges. This system allows admins to request access temporarily, which must be approved and reviewed.

Review admin access regularly (every 3 months is a good rule) and remove it when no longer needed.

3. Implement Cyber Awareness Training

Cyber criminals rely on tricking people - using phishing attacks to steal passwords or MFA codes.

The best defence is knowing their tactics. Regular cyber awareness training helps your team spot scams before they cause damage.

Microsoft 365 offers Attack Simulation Training, where you can run fake phishing attacks and educate your staff. Make this training a regular habit.

4. Manage Third-Party Access

It’s common for third-party companies to have access to your systems - but it’s also a big risk.

If your suppliers or partners don’t manage their own cybersecurity well, cyber criminals can use their access to get into your systems.

Make sure you:

• Check how third parties secure their IT

• Ask for evidence of their cybersecurity measures

• Limit their access to only what’s necessary

Never give full system access just because it’s convenient.

5. Have a Cyber Incident Plan

Even companies with strong cybersecurity can get attacked. The difference is having a plan.

This plan should cover:

• What to do immediately after an attack

• Communication with customers, partners, and employees

• Process and roles to minimise damage and recovery time

From what I’ve seen, M&S managed their response well - and that’s something all businesses should strive for.

Final Thoughts

Cyber attacks are scary but inevitable. What matters is how prepared we are and what we learn from incidents like the M&S hack.

Implementing these five lessons can significantly improve your security posture and reduce risk - whether you’re a huge retailer or a small local business.

Thanks for reading and say safe out there!