HDP IT Services

What the M&S Cyber-Attack Means for Your Small Business

Posted on June 23, 2025

When a giant like Marks & Spencer is hit by a significant cyber-attack, it makes headlines. It’s easy for a small business owner to see that news and think, “They’re a massive corporation with a huge target on their back. That would never happen to my business.”

Unfortunately, that assumption is one of the most dangerous a business owner can make.

While the scale of the attack was huge, the entry point was shockingly simple. Reports suggest it began not with a complex piece of code, but with a phone call. Hackers from a group known as ‘Scattered Spider’ allegedly used social engineering—impersonating M&S employees to trick the company’s own IT help desk into resetting passwords.

Once inside, they were able to steal data and deploy ransomware, causing massive disruption. Let’s look at the lessons every small business should learn from this incident.

The Real Threat: Your Human Supply Chain

While early reports pointed to a third-party supplier, the more detailed analysis suggests the vulnerability was the human element of the IT support system. The criminals didn’t need to breach M&S’s formidable digital defences; they just had to find the weakest link in the chain of trust—a person.

This is a form of supply chain attack. The vulnerability wasn’t a piece of software; it was a process.

Your business has a human supply chain, too. It’s every employee with a password, every department that can request an IT change, and every support system you have in place. If these processes can be exploited by a convincing phone call, your business is exposed.

Three Lessons Every Small Business Must Act On

1. You Are Responsible for Your Internal Processes

It’s no longer enough to just have strong passwords. You must have robust, verifiable processes for when things go wrong. What is your procedure for a password reset? Does your IT support (whether in-house or outsourced) have a way to verify an employee’s identity beyond doubt before granting them access? If they can be tricked, so can you.

2. The Principle of Least Privilege is Critical

This is a core concept of Cyber Essentials. It means that any user account or system should only have access to the absolute minimum information it needs to do its job. If the compromised user accounts in the M&S attack had only been given access to what they needed—and nothing else—the potential for the breach to spread would have been dramatically reduced.

Ask yourself: does your marketing agency have access to your financial folders? Does every employee have administrator rights to their computer? Limiting access is a powerful and low-cost security win.

3. Proactive Monitoring is Non-Negotiable

The goal is to spot suspicious activity before it becomes a full-blown crisis. Modern security isn’t just about building walls; it’s about having alarms on those walls. Tools like a Security Information and Event Management (SIEM) system can help monitor for unusual patterns (like a user account suddenly accessing strange files), but even simple steps like regularly reviewing user access logs can make a huge difference.

Security is a Partnership

The attack on M&S is a stark reminder that in today’s interconnected world, your security is only as strong as your weakest link—and often, that link is a person, not a program. Building a truly secure business isn’t just about technology; it’s about robust processes and fostering a culture of security with every employee and partner.

Unsure about your own security posture or that of your key suppliers? Contact HDP IT Services for a free, no-obligation consultation. We can help you identify your risks and build a security strategy that protects your business.