Cyber wake‑up call: What M&S, Co‑op and Harrods teach SMEs

Three high street names – Marks & Spencer, Co-op, and Harrods – have each faced serious cyber threats in recent weeks, taking swift action to contain the damage and protect their systems.

• Marks & Spencer – took their online ordering system offline following a ransomware-linked breach that exposed elements of customer data.
• Co-op disconnected parts of its logistics network while it investigated whether attackers were still active, leaving stock gaps on some shelves.
• Harrods responded to suspicious activity by temporarily disabling internet access across its estate to prevent unauthorised activity spreading.

Retailers operate in unusually complex digital environments, juggling legacy systems, vast consumer-data stores and numerous third-party vendors. This wide attack surface, combined with high staff turnover, seasonal workforces and an industry-wide focus on speed and convenience, leaves security basics such as multi-factor authentication or strong encryption under-resourced and creates openings that attackers are increasingly adept at exploiting.

Typical weaknesses include:

• Staff accounts with excessive or unused access rights, making them easier to hijack
• Outdated systems exposed directly to the internet, lacking modern protections
• Flat internal networks, which allow malware to spread laterally from device to device

Crucially, incidents like these go beyond operational disruption. When customer or employee data is compromised, organisations risk reputational damage, partner distrust and regulatory scrutiny. The Information Commissioner’s Office (ICO) can investigate and fine firms that fail to safeguard personal data or handle breaches properly. This means Cybersecurity should belong on senior management’s agenda: it must be woven into legal, operational and IT strategy rather than left to back-office technicians.

Cyber attacks can also trigger contractual penalties, termination rights or litigation if obligations around data, uptime or confidentiality are missed. Proactive risk assessments, supplier due-diligence and clear allocation of cyber responsibilities and liabilities in contracts are essential to avoid disputes after a breach.

The Cyber Security Breaches Survey 2025 reports that half of medium-sized UK businesses experienced a breach in the last year. The average direct cost was £1,970 – but that figure doesn’t account for sales lost, partner confidence shaken, or the long-term impact on brand trust.

Five low-cost moves that cut risk

Understanding what you can do to reduce the risk of a cyber attack is essential. As a small or medium-sized business (SME), here are five practical steps you can take to strengthen your defences – without a major investment:

Quick win	Why it matters	First step
Enable multifactor authentication	Stops attackers even if passwords are stolen	Start with email, VPN, and finance tools
Keep one recent backup completely offline	Ransomware can’t encrypt what it can’t reach	Test a small restore/location every month
Patch critical software within 14 days & use detection	Blocks known exploits and flags suspicious activity early	Automate updates where possible
Request suppliers’ cyber testing & drill results	One in five UK breaches now starts in the supply chain	Add security clauses to new contracts
Rehearse a 90-minute incident response drill twice/year	Helps teams react quickly and avoid costly errors	Include IT, legal, comms and leadership teams
Regularly review user access rights	Prevents misuse of excessive or outdated permissions	Audit and remove unused or high-risk logins

Responding to a cyber incident

If a cyber incident strikes, it's vital to act fast: isolate affected devices (but keep them powered), document every decision, and be aware of your obligations to notify customers and the ICO in the event of a personal data breach, including the ICO. The National Cyber Security Centre’s ransomware guidance provides a clear checklist to follow – but preparation is key.

Our expert commercial and data protection solicitors can help you assess your risks, tighten supplier contracts, and draft robust cyber clauses. We can also audit your readiness or guide your team through a live crisis – moving you from panic to plan and helping protect your reputation. Get in touch with our legal teams today to discuss how we can support your business.