When the Attack Becomes Financial Headlines
In April 2025, Marks & Spencer, one of the most recognized retailers in the UK with over 140 years of history, became the center of one of the most talked-about cyber incidents of the year. According to a report from BleepingComputer, the ransomware group Scattered Spider was identified as responsible for an attack that took down the company's e-commerce systems and disrupted contactless payments in physical stores. (Source: BleepingComputer, 2025)
The impact was immediate and devastating on multiple fronts: online orders were suspended for weeks, logistics operations were compromised, and the company was forced to notify the market and regulatory authorities about the incident. The reflection on the stock was equally brutal, with an estimated drop of £700 million in market value of the company in the weeks following the attack.
What makes this case particularly relevant for any business decision-maker is not the size of M&S, but the fact that a company with resources, teams, and a solid history was sufficiently impacted to see its e-commerce paralyzed for weeks. This raises an inevitable question: if it happened to them, what protects your company?
It is important to make it clear: the internal details of the incident, which specific systems were affected, how exactly the attack was conducted, or which controls failed, are not publicly available information. What we can do is use this case as a mirror and analyze the vectors thattypicallyenable attacks of this magnitude, and what organizations of all sizes can do to avoid becoming the next headline.
The Vectors That Typically Open the Door
Although the internal details of the M&S incident are not public, attacks conducted by groups like Scattered Spider have a documented history of exploiting well-known vectors. Understanding these vectors is the first step toward effective defense.
Social engineering and credential manipulation. Scattered Spider is notoriously known for sophisticated social engineering tactics, including what is calledvishing(voice phishing) and manipulating technical support teams for credential resets and bypassing multi-factor authentication. In a typical scenario, an employee receives a call from someone posing as internal IT support, creates urgency, and gains access to legitimate credentials. Once inside the environment with valid credentials, the attacker moves laterally with much less friction, as the systems recognize that identity as trustworthy. According to the 2024 Verizon Data Breach Investigations Report, over 68% of breaches involve the human element, which includes social engineering and credential misuse.
Lack or failure of privileged access controls. Compromised credentials are dangerous in themselves, but they become catastrophic when there are no barriers to limit what that account can access. In environments where network segmentation is nonexistent or superficial, a single compromised entry point can give the attacker visibility and free movement throughout the infrastructure, including backup systems, critical application servers, and customer databases. The attacker’s logic is simple: to reach as many valuable assets as possible before triggering encryption or exfiltrating data.
Accessible or untested backups. One of the elements that turns a serious attack into a prolonged operational disaster is the actual condition of the backups at the moment they are needed. In many ransomware incidents, attackers identify and compromise or encrypt backups before triggering the main payload, precisely to eliminate the most obvious recovery path. Organizations that keep backups connected to the same production network, without real isolation, or that have never tested a full restoration, often find that their supposed safety net had huge holes at the worst possible moment.
Layered Protection: What Can Be Done to Protect Your Infrastructure
The good news is that most of the vectors described above can be significantly mitigated with capabilities that already exist and are accessible to medium and large companies. Real protection does not come from a single tool or vendor; it comes from the combination of layers that reinforce each other.
Endpoint detection and response (EDR) with proactive monitoring. Modern endpoint protection solutions go far beyond traditional antivirus. EDR technologies monitor anomalous behaviors in real-time, including lateral movements, privilege escalation, and execution of suspicious processes, and allow for the automatic isolation of a compromised endpoint before damage spreads. When combined with centralized monitoring 24/7, the time between detection and containment drops drastically. According to the IBM Cost of a Data Breach Report 2024, organizations with active security and AI teams identified and contained breaches on average 98 days faster than those without this capability.
Isolated, encrypted backup with regular restoration testing. An effective backup strategy in 2025 follows the 3-2-1-1 rule: three copies of data, on two different types of media, one offsite, and one completely isolated from the production network (air-gapped or immutable). More importantly: backups that have never been tested are not backups, they are hopes. Periodic and documented restoration tests, with clear metrics for RTO (Recovery Time Objective) and RPO (Recovery Point Objective), are what turn a paper plan into a real recovery capability.
Continuous user training and patch management. As Verizon's data shows, the human element continues to be the most exploited vector. Continuous training programs, with phishing and social engineering simulations, significantly reduce the click rate on malicious bait and increase the culture of reporting suspicious incidents. At the same time, disciplined patch management eliminates the vulnerability windows that automated attackers constantly scan. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), known and unpatched vulnerabilities continue to be responsible for a disproportionately high share of successful compromises.
Questions Every Decision Maker Should Ask Themselves Now
1. Would my backups really work in a disaster like this? How long would it take for my operation to be back up?
2. Does my team have the right tools to identify and block an attack like this immediately, before it causes all the damage? How am I investing in preparing my technical team?
3. How long could my company survive without access to systems and files?
1. Would my backups really work in a disaster like this? How long would it take for my operation to be back up?
The honest answer for most companies is: we don't know. Backups are set up, forgotten, and rarely tested in real complete failure scenarios. A professionally managed backup strategy includes not only the creation of copies but also periodic integrity checks, documented restoration tests, and immutable backups isolated from the production network, precisely to survive a ransomware attack that attempts to eliminate backup copies before triggering encryption.
In managed IT, RTO and RPO indicators cease to be abstract concepts and become measurable contractual commitments. Knowing that your operation can be restored in four hours versus four days is the difference between a manageable incident and an existential crisis for the business.
2. Does my team have the right tools to identify and block an attack before it causes all the disaster?
EDR tools combined with proactive 24/7 monitoring are what allow for the detection of anomalous behaviors, such as a legitimate user accessing abnormal volumes of files at 3 a.m., before the attacker completes their mission. But technology without human training is insufficient. Investing in the preparation of the technical team, through training, simulations, and certifications, is what transforms alerts into effective responses.
A documented and regularly tested incident response plan defines exactly who does what, in what order, in the critical first hours after detecting an attack. Companies that reach this moment without a clear playbook waste precious time in deliberations while the damage progresses.
3. How long would my company survive without access to systems and files?
This is perhaps the most revealing question. For M&S, weeks without e-commerce meant £700 million in lost market value. For a medium-sized company, days without access to systems can mean lost contracts, customers migrating to competitors, and permanently compromised reputation. The answer to this question should directly guide the level of investment in cyber resilience, because the cost of protection rarely approaches the cost of collapse.
Managed IT services that include network segmentation, multifactor authentication, continuous vulnerability management, and intelligent monitoring are not an operational expense; they are an insurance policy for business continuity.
If your company does not yet have an integrated layered protection strategy, consider conducting a Strategic IT Assessment, at no obligation, to identify vulnerabilities before they become headlines.