When a giant stops, everyone pays attention
In April 2025, the Marks & Spencer (M&S), one of the most traditional retail chains in the UK, made headlines for the wrong reasons. According to BleepingComputer, the company suffered a ransomware attack attributed to the Scattered Spider group that lasted for weeks. The result was devastating: the e-commerce site went down, card payments in physical stores were suspended, inventory and order management systems stopped working, and personal data of over 25 million customers was compromised. Estimated losses exceeded £700 million.
The attack vector was not a sophisticated zero-day exploit. It was something much simpler and much more common: stolen access credentials via social engineering. Someone was manipulated into handing over the keys to the castle, and the damage reached historic proportions. The World Economic Forum has already highlighted this case as one of the most relevant cyber alerts for companies around the world.
And the question that lingers is inevitable: if this happened to a company with decades of history, entire IT teams, and virtually unlimited resources, what protects your business from going through the same?
What this case reveals about the current threat landscape
The attack on M&S is not an anomaly. It is a true reflection of how the cybercrime It operates today. Intruders do not need to break concrete walls when the front door can be opened with a convincing phone call or a well-crafted email. Social engineering, a technique that manipulates people rather than systems, is the preferred entry point for the most active ransomware groups in the world.
For SME managers, the case brings a direct lesson: size is not a shield. Smaller companies are often even more attractive targets precisely because they generally invest less in structured defenses. An attack that paralyzes a large network for weeks can, proportionally, be even more destructive for a business with 50 or 200 employees, where every hour of downtime has a direct impact on cash flow and reputation with customers.
The simultaneous disruption of M&S's e-commerce, point of sale, and inventory control illustrates another critical point: a single incident can paralyze entire operations. Not just one department. Not just one system. Everything. And in a retail, manufacturing, or services scenario, where processes are interconnected, this interdependence amplifies the damage exponentially.
In addition to financial losses, there is a less visible but equally serious cost: the erosion of trust. Customers whose data has been exposed do not easily forget. Recovering reputation takes much longer than recovering systems.
What companies can do, in practice, to protect themselves
The good news, and it exists, is that the measures that would have made it difficult or even prevented the advance of this type of attack are within reach of companies of any size. It is not necessary to have a multinational corporation's budget to set up an effective defense.
Multi-factor authentication (MFA) on all access is the first and most immediate step. Even if a credential is compromised through social engineering, MFA creates an additional barrier that prevents the misuse of that credential. It is one of the most cost-effective measures in cybersecurity.
Endpoint detection and response (EDR) with continuous monitoring allows for the identification of suspicious behaviors, such as lateral movement within the network, before ransomware spreads and causes damage at scale. The difference between detecting a threat in minutes and detecting it in days can be the difference between a scare and a catastrophe.
Immutable backup with regularly tested disaster recovery is the safety net that ensures that, even in the worst-case scenario, operations can be restored in hours, not weeks. The critical detail here is "regularly tested": a backup that has never been validated may fail exactly when it matters most.
Finally, continuous patch and vulnerability management eliminates known gaps before attackers can exploit them. Most successful attacks take advantage of vulnerabilities with patches available for months, simply because no one applied the updates in time.
The question every manager should ask themselves now
If an attacker obtained the credentials of an employee in my company tomorrow, what would happen?
This is an uncomfortable question, but extremely useful. An honest answer reveals the true level of exposure of the business. If the answer is "I don't know" or "they would probably have access to everything," it's time to take action. Managed IT services they deliver exactly the layers of protection described above, including MFA, EDR with 24/7 monitoring, immutable backup, patch management, and continuous employee awareness training, without requiring the hiring of a specialized internal team. For SMEs, this model represents enterprise-level protection with cost predictability and without the complexity of building a security operation from scratch.
The M&S case is a powerful reminder that cybersecurity is not a one-time project. It is a continuous practice. And companies that take this seriously, regardless of size, are building not just defenses, but real competitive advantage: the trust of customers, partners, and employees that their data and operations are in good hands.
The threat landscape is challenging, but the tools to face it are available. The question is when, not if, each company will take this step.
References
- BleepingComputer, Marks and Spencer breach linked to Scattered Spider ransomware attack
- World Economic Forum, 2026 Cyberthreats to Watch and Other Cybersecurity News
Want to understand how your company is positioned against threats like this? Talk to a specialist from Zamak for a No-Obligation Initial Consultation.