A Sector Under Siege: The M&S Breach

In April 2025, Marks & Spencer became the latest UK retailer to suffer a major ransomware attack. What began as a compromise via a third-party help desk escalated into operational paralysis: online orders failed, loyalty cards stopped working, contactless payments collapsed, and frontline staff reverted to pen and paper. For a business of M&S’s scale and heritage, this wasn’t just a technical failure – it was a commercial crisis.

The numbers are staggering: £300 million in lost sales, nearly £1 billion wiped from its market value, and significant reputational damage at a critical moment in trading. The implications extended beyond M&S; customers were also affected. Suppliers faced delayed payments. The media spotlight intensified.

The breach, reportedly linked to the hacking group Scattered Spider – also associated with attacks on Harrods and Co-op, highlighted a fundamental truth: no matter how sophisticated your infrastructure, attackers target people, not just machines.

Cyber Crime is Human-Centred and So Must Be Defence

The BBC’s Panorama documentary Fighting Cyber Criminals aired in July 2025, shedding national light on the scale and shape of the UK’s cyber threat landscape. One key message stood out: most cyber incidents aren’t the result of highly technical exploits, instead, they start with people making mistakes.

“It’s refreshing to see a view of cyber that isn’t about technically skilled criminals doing wizzy technical things to break into organisations. It highlighted that cyber criminals often don’t have deep technical skill and instead use skills in deception to fool helpdesks (people) to give them passwords.”

Phishing. Social engineering. Manipulating support desks. Abusing shared credentials. These tactics bypass traditional defences by preying on the instincts and workloads of real people: overworked contact centre staff, distracted store managers, and under-trained suppliers.

For retail, this is critical. The sector’s frontline workforce is large, decentralised, and customer-facing. Seasonal and part-time contracts are standard. Supply chains are vast, multi-tiered, and often operate with minimal security scrutiny. These are not just operational characteristics, they’re security vulnerabilities.

“ Cyber criminals have learnt how to exploit people for their profits. To beat them we need to be prepared to invest in our people and organisational culture to reduce the opportunity available to the criminals.”

Beyond the Firewall: Rethinking Cyber Resilience in Retail

The retail environment presents unique challenges for cyber defence:

• High transaction volume: Large volumes of customer data and payment details make retailers prime targets for data exfiltration and fraud.
• Supply chain complexity: Third-party risk is amplified through the involvement of multiple suppliers, logistics providers, and technology vendors.
• Legacy systems and POS infrastructure: Many retailers still operate on ageing platforms with known vulnerabilities.
• Public-facing digital assets, such as e-commerce, apps, and loyalty programs, increase exposure.
• High staff turnover: Frequent onboarding and offboarding increases the chance of misconfigurations or account misuse.

Defending this environment requires more than upgraded firewalls. Tom Everard, Director Risk Services recommends:

“Creating a security culture programme in which security awareness and training are just two tools of many used to drive improvements in security behaviour. Apply a human risk management approach whereby data on actual behavioural risk helps to prioritise resource allocation to address those risks that matter most.”

The Regulatory Lens: More Pressure, But Also a Roadmap

Regulators have taken note. The retail sector is increasingly in scope of new cyber resilience rules designed to protect not only business operations, but national infrastructure and consumer safety.

• NIS2, which extends obligations across key sectors in Europe, now includes digital services and supply chain operators, pulling large retailers and platforms into scope.
• DORA may appear finance-focused, but its approach to operational resilience and risk governance is being mirrored across other sectors.
• The UK Government’s cyber strategy, along with increased involvement from the Information Commissioner’s Office (ICO), is likely to result in tighter requirements for breach notification, supply chain assurance, and leadership accountability.

What’s significant is that all these frameworks recognise one thing: cyber security is no longer just about technical controls. It’s about governance, culture, and operational maturity. In other words, it starts with people.

Board-Level Accountability is Now Non-Negotiable

In the aftermath of the M&S attack, company Chair Archie Norman called for mandatory incident reporting laws. His comments reflect a growing expectation: leadership must understand and oversee cyber risk, not simply delegate it.

This requires better communication between technical teams and boards. Retail executives should be asking:

• Where is our most significant exposure to human error?
• How resilient are our operations to ransomware or outages?
• What’s our single point of failure – whether it’s tech, supplier, or person?
• How do we monitor and reduce cyber risk across our stores, apps, and supply chain?
• When was our last cross-functional incident simulation?

Boards must go beyond “Are we secure?” and start asking, “How prepared are we to recover?” Because in retail, minutes of downtime can translate into millions lost and erode trust.

What Good Looks Like in Practice

We can look to the successful application of safety culture in organisations with hazardous work environments like transport and oil and gas to see how the culture approach is able to shift human behaviour. Academic research into safety behaviour began in the 1950s and 60s with subsequent analysis of disasters like Chernobyl, Space Shuttle Challenger, Hillsborough, and numerous rail accidents. This eventually led to safety culture programmes being introduced in the late 1990s/early 2000s with remarkable results. 2016 was the first year in which there were no fatalities of rail workers on the UK rail network. A similar approach is now recognised as being needed to drive the right security behaviours in organisations and businesses.

The Cyber Threat Landscape is Multifaceted and Indiscriminate

Cybercriminals take many forms… it could be nation-states seeking to undermine their adversaries’ critical infrastructure, or organised criminal gangs deploying ransomware on an industrial scale. It may be unscrupulous companies trying to steal a march on their competitors, or even youngsters who do it for the thrill.

While it’s true that many cyber-attacks are targeted at high-profile organisations (look at recent events in the UK retail sector) or national capabilities (e.g. power infrastructure), many are indiscriminate. Cyber criminals can now simply buy ransomware/phishing ‘toolkits’ on the dark web, enabling them to try their luck across a vast array of individuals and organisations. No targeting needed. They just need enough individuals to be fooled by their techniques to justify the outlay.

And don’t forget about sheer accident (or incompetence). Many cyber incidents are down to internal mistakes or poor processes. The recent Crowdstrike incident, which affected many of the world’s IT systems in one fell swoop, is a great example.

A significant misconception is that many assume cybersecurity is a technical problem. Increasingly, it’s a people problem (in crude terms, I’d estimate it at 50% – at least). Why? Because cyber-attacks prey on people, and because strong cybersecurity still relies heavily on people to do the right thing, at the right time.

Vision 2030 Demands Strong Cybersecurity, Backed by Wide-Reaching Regulations

When it comes to the drive towards a cyber-secure society in KSA, the government is leaving nothing to chance. Against the backdrop of Vision 2030 and the National Cyber Security Strategy (NCSS), many organisations are already subject to the National Cybersecurity Authority’s (NCA) Essential Cybersecurity Controls (ECC) and related standards. In addition to this, many sectors are regulated by their own stringent cybersecurity regulations. Examples include the Saudi Monetary Authority’s Cyber Security Framework, the Capital Markets Authority’s (CMA) Cybersecurity guidelines and the Cybersecurity Regulatory Framework (CRF) for IT service providers.

Given the swift pace at which strong cybersecurity governance is being developed at the national level, it is likely that the role of cybersecurity regulation in KSA will continue to expand. If they aren’t already ‘all over it’, organisations should start preparing now!

As a side note, many of the current cybersecurity laws and regulations have overlapping requirements, which brings its own difficulties.

For the reader who understands cyber security control frameworks, you may find our recent blog on the topic, ‘Cracking the Code: Understanding Harmonised Cyber Security Control Frameworks,’ helpful. We also offer a dedicated Harmonised Control Library service to help organisations align compliance obligations with real-world operational needs.

Strong Cyber Risk Management is Non-Negotiable

Compliance with cybersecurity regulations is only part of the picture.

Ultimately, to remain viable, our approach to cybersecurity should align with our strategy to risk, in terms of our business risk appetite, our cyber threat profile, the degree to which we are vulnerable, and the resources available for cybersecurity. While much of this will inherently be centred on our own organisation, we mustn’t forget that our organisation may, in turn, be systemically important to others, so fit-for-purpose risk management can get complex.

The possible ‘leakage’ of cyber risk between suppliers and their clients (and vice versa) is key here. We no longer live in a world where we can put our metaphorical arms around the entirety of our organisation and protect it as we see fit. Interconnectivity between organisations is a reality of the modern world, and so we mustn’t forget that what is my cyber risk may also be your cyber risk. Cyber risk management techniques (and regulations) are increasingly focusing on this aspect.

Cyber Regulatory Compliance and Risk Management are Slowly Converging

Cybersecurity regulation and risk management are slowly converging. Emerging regulations – such as the EU’s NIS2 and the UK’s forthcoming Cyber Security and Resilience Act – require that your organisation’s cyber risk profile should shape how you comply with the regulation. One reason for this is that if every organisation were to apply every aspect of every cybersecurity regulation with the same degree of rigour, bottom lines would soon be creaking, which in turn would undermine economic growth.

Note that these same regulations also require you to consider your own systemic importance to other organisations (such as providers of financial services) and to have cyber risk oversight of your suppliers. In short, you must be able to demonstrate that you have applied a rigorous risk assessment technique, can evidence results of the risk assessment process, and have arrangements in place to monitor your cyber risk profile over time.

When it comes to this risk-based dimension to cybersecurity and its relationship with cyber regulation, there is every indication that KSA will follow suit.

Defining Cyber Resilience under the CRA

Cyber resilience under the CRA goes beyond traditional cyber security. It encompasses an organisation’s ability to prepare for, withstand, recover from, and adapt to adverse cyber events. At its core, the CRA aims to ensure that businesses can defend against attacks, maintain critical functions during disruptions and recover swiftly.

Key Principles:

1. Proactive risk management: Organisations must identify and mitigate vulnerabilities before they can be exploited.
2. Secure product development: Ensuring cyber security is embedded throughout the product lifecycle.
3. Incident readiness: Establishing protocols for swift detection, containment, and recovery from cyber incidents.
4. Accountability: Clear documentation and demonstration of compliance efforts to regulatory bodies.

By adopting these principles, businesses can create a culture of resilience that satisfies regulatory demands and builds trust with stakeholders.

Ryan Hides, Senior Consultant at CRMG, notes: “CRA compliance is not just a tick-box exercise. It’s about embedding resilience into your organisation’s DNA, ensuring you can weather the storm and emerge stronger.”

Implementing Secure Development Lifecycles (SDLCs)

The CRA places significant emphasis on the security of software and systems, mandating organisations to integrate cyber security considerations into their development processes. A Secure Development Lifecycle (SDLC) is essential for achieving this.

Steps to Implement SDLC:

1. Implement secure development practices, version control, and quality management measures into all system development processes, including agile iterations. Ensure the use of code management, secure coding techniques, and iterative code reviews.
2. Create a set of Project Initiation Documents (PID) for each development project, addressing essential project management elements such as scope, costs, timelines, quality, benefits, project risks, and acceptance criteria. Support each project with a documented set of project plans, based on approved functional and non-functional business requirements, including information security.
3. Adhere to a stringent process for releasing and deploying new or updated systems and applications to the production environment. Ensure they undergo thorough testing, including security checks, and meet strict acceptance criteria.

“A robust SDLC doesn’t just enhance security; it also improves the overall quality and reliability of software. This dual benefit is invaluable in today’s digital economy.”

– Simon Rycroft, Co-Founder CRMG

Risk Management Strategies for CRA Compliance

Effective risk management is a cornerstone of cyber resilience and a critical requirement under the CRA. Organisations must adopt structured methodologies to identify, assess, and mitigate risks.

Best Practices:

1. Conduct regular evaluations to identify vulnerabilities, threat actors, and potential impact.
2. Use frameworks like NIST or ISO 27001 to prioritise risks based on likelihood and severity.
3. Assess and monitor the security posture of suppliers and partners to minimise supply chain risks.
4. Develop and implement detailed plans to address identified risks, including technical controls and organisational measures.
5. Leverage tools and dashboards to maintain real-time visibility into your risk landscape.

By adopting a risk-based approach, organisations can allocate resources effectively and ensure that their security investments yield maximum impact.

Integrating Continuous Security Testing and Incident Response Protocols

In the face of evolving cyber threats, continuous security testing and well-defined incident response protocols are indispensable for maintaining resilience. These measures fortify defences and enable organisations to respond effectively when incidents occur.

Continuous Security Testing:

Rigorous security testing must be performed on a regular basis on critical target environments, including both systems under development and live systems. Testing the security of these environments must include determining the effectiveness of security controls, performing specific attack tests to identify weaknesses, using test data, resolving identified security weaknesses, threat intelligence, and root cause analysis of security incidents.

The use of reputable sources for common security-related software weaknesses, such as the OWASP Top 10 Web Application Security Risks, SANS/CWE Top 25 Programming Errors & MITRE ATT@CK Framework is highly recommended.

Incident Response Protocols:

Develop an information security incident management framework that encompasses a documented process, specialised personnel or teams, relevant information, and tools. Consistently identify, respond to, recover from, and follow up on information security incidents.

The forensic investigation of information security incidents or events is important to identify perpetrators and preserve evidence. It is essential to be prompt and effective in testing, reviewing, and applying emergency fixes to business applications, systems, networks, and endpoint devices.