The arrest of four suspects last week in UK (three teens and one 20-year-old) has reignited public and media interest. These individuals are apparently linked to Scattered Spider, a notorious group also considered to be behind attacks on in the US. With ongoing investigations and potential prosecutions, it remains an unfolding criminal story. It is quite rare for arrests to actually be made for significant cyber incidents as often the attackers are difficult to trace and not in the UK. With all this in mind, it seems that the story will remain in the public and customers' mind to come which will make the task of recovery for M&S even harder.

For businesses, the decision as to where to deploy its resources in preventing a cyber incident is difficult particularly as new threats and emerge. In this case, the bad actors did not attack M&S directly, rather they exploited a third-party contractor and used social engineering to gain access and deploy ransomware. This highlights a broader systemic risk many companies face: even with great internal defences, a weak vendor or human lapse can expose you. So what learning can be taken away from the M&S incident? We have set out some thoughts and suggestions below in a series of key themes and the lessons learned.

Strategic lessons learned

Third-party risk

Review vendor and those in the supply chain's access to your network and systems; ensure and enforce that users, applications and systems are granted the minimum necessary access rights to perform designated tasks and nothing more; and require third parties to have cyber certifications (e.g. ISO 27001, SOC 2).  

Social engineering threats

Employees are both the best protection for a business or the weakest link. Businesses should run ongoing staff training and incident simulations —especially at helpdesks and remote access points.

Crisis preparedness

Maintain and regularly test cyber incident response plans, including legal / communication protocols. Both those protocols and their effectiveness are critical in shortening the ongoing impact on the business of an incident. 

Cyber insurance limits

Reassess coverage for ransomware, business interruption, and third-party breach scenarios. M&S's reported losses are significant and organisations will need to consider what their worst case scenario is and what they can afford to insure. 

Transparency builds trust

Clear and honest communication helps maintain and restore customer and stakeholder confidence. Time will tell whether M&S' communication strategy was successful.

Regulatory momentum 

Our view is that we can expect further movement toward mandatory incident reporting. The M&S team are asking for this and more investment in resources to prevent bad actors succeeding in their attempts to infiltrate networks and systems. It will be interesting to see whether this incident does have a meaningful impact on regulation and investment decisions.

If it assists to discuss any of the above and how we can assist your organisation in managing and responding to the risks of cyber incidents, please do get in touch.