Cyber Attacks on Retail Giants: What Every Business Should Learn
Cyber Attacks on Retail Giants: What Every Business Should Learn
The recent wave of cyber attacks on UK retail giants—including Marks & Spencer, Co-op, and Harrods—has made headlines across the country. These incidents serve as a stark reminder that no organisation is too big, too well-known, or too prepared to be targeted by cyber criminals.
But while the headlines focus on household names, the lessons learned are relevant to every business, regardless of size.
What Happened?
Although investigations are ongoing, the National Cyber Security Centre (NCSC) is already working with the affected businesses. While they haven’t confirmed whether the attacks are linked, NCSC has shared valuable insights, particularly around the suspected use of social engineering.
This involves attackers impersonating IT support staff—or claiming to be employees locked out of their accounts—to trick help desk teams into handing over login credentials and security codes. It’s a disturbingly simple tactic, but unfortunately, one that works.
The Key Lesson: People Are Your First Line of Defence
Cyber security isn’t just about having strong passwords and advanced software. It starts with people. If your team isn’t prepared to spot a social engineering attack, no amount of technology will keep you safe.
In its latest guidance, NCSC urges businesses to review their password reset processes, especially for senior employees with access to sensitive systems. Key questions to ask:
- How is identity verified when someone calls the IT help desk?
- Is there a secondary check in place?
- Would a fraudster be spotted?
Some experts are even suggesting the use of codewords to help authenticate real users—but this only works if it’s part of a broader culture of cyber awareness. Training staff to question unusual requests, no matter how routine they sound, is essential.
Small Businesses Aren’t Immune
It’s easy to think, “We’re too small to be targeted.” But cyber criminals don’t discriminate by size. In fact, small businesses are often seen as easier targets because they may lack dedicated cyber security resources.
That’s why every business should act now:
- Review password reset procedures: Who handles them? What verification steps are in place?
- Enable multi-factor authentication (MFA): Passwords alone are no longer enough.
- Monitor login activity: Watch for unusual logins from unexpected locations or at odd times.
- Educate your team: Regularly update staff on how to spot social engineering attempts. Short refresher sessions can make a big difference.
Organised or Opportunistic?
Interestingly, the NCSC’s advice suggests these incidents are not the work of high-tech hackers deploying sophisticated malware. Instead, they’re exploiting human trust. This highlights a critical shift in how businesses should view cyber security: it’s no longer just an IT issue—it’s a company-wide responsibility.
With online criminal activity on the rise, attacks like these are becoming increasingly common. Whether you’re a multinational retailer or a local business, the first step in defending against cyber threats starts internally—with stronger processes, clearer communication, and a healthy dose of scepticism.
Could This Happen to You?
If the recent attacks have shown us anything, it’s that every business is a potential target. Now is the time to ask yourself: Could this happen to us?
We offer an accounting systems review service to help identify gaps in your processes. Reach out to us for more details if you thing this would be of interest.
