In my 40+ years in the technology and cybersecurity space, I’ve seen breaches evolve from annoying disruptions into potentially business-closing threats. But few recent events have highlighted the need for solid incident response planning like the 2025 Marks & Spencer (M&S) cyber attack.

For many of us in the industry, this wasn’t just another headline—it was a case study of what can happen when operational preparedness falls short at the executive level.

What Happened at M&S? A Cyber Attack with Cascading Impact

Let's look into what happened, not because it was rare—but because it’s becoming far too familiar.

In April 2025, M&S—one of the UK’s most iconic retail chains—was hit with a ransomware attack that crippled its online operations and disrupted physical logistics for weeks. Customers couldn't place orders, store systems struggled to coordinate inventory, and supply chains slowed to a crawl. Nearly three weeks later, they were still recovering.

The group behind the attack, believed to be linked to Scattered Spider—a known ransomware-as-a-service affiliate network—reportedly infiltrated the retailer's systems by compromising employee credentials and exploiting weaknesses in their identity controls. The attackers were able to move laterally across the network, evade detection, and encrypt critical data. On top of that, M&S later confirmed sensitive customer data had been stolen, raising the likelihood of a double extortion threat: pay once for decryption, and again to keep your data off the dark web.

Co-op, another British retailer, was also targeted—but they responded quickly, choosing to take their systems offline to limit the damage. M&S, on the other hand, appeared less prepared.

As someone who’s spent over four decades helping businesses navigate technology and security—from the dot-matrix printer era to cloud-native ecosystems—I can tell you: this kind of incident doesn’t surprise me anymore. And it shouldn’t surprise you either.

Whether the business is in London or Los Angeles, the attack surface looks the same: outdated infrastructure, overworked IT teams, third-party dependencies, and executive teams assuming cybersecurity is someone else’s job.

So if you’re thinking, “That could never happen to us,”—I urge you to think again.

The attackers, believed to be affiliated with the Scattered Spider group, infiltrated M&S’s systems using tactics that likely exploited third-party vulnerabilities and lack of multi-factor authentication (MFA). Once inside, they moved laterally and struck hard.

The result? A projected £300 million loss in operating profits, significant brand damage, and a public relations scramble that lasted well beyond the breach itself.

And while Co-op (another retailer targeted at the same time) responded quickly by shutting down systems to contain the attack, M&S took a far heavier blow due to delayed detection and unclear recovery protocols.

 

Why CEOs Must Own Incident Response

I’ve had too many conversations where executives assume cybersecurity lives solely in the IT department. But breaches like M&S show us otherwise: incident response is a board-level issue.

Your customers don’t care which department failed. Your investors won’t care whose name is on the dashboard. When systems go down or data gets leaked, the business suffers—and so does leadership’s credibility.

At One Step Secure IT, we guide our clients through building realistic, business-aligned incident response plans. And based on what happened at M&S, here are some strategies I believe every executive team needs to revisit:

 

What Every Leader Should Be Doing Right Now

 

1. Conduct a Business-Centric Risk Assessment

Start by asking: What systems are critical to our business? Map out your assets, data flows, and vendor touchpoints. Include third-party software, payment processors, and cloud services.

Recommended reading: Cybersecurity Risk Management: How Do We Get Started?

2. Develop and Document a Response Plan

If a breach happens, what’s your first move? Who speaks to the press? How will operations continue? Your plan should define these answers. And it can’t live in a PDF—test it regularly.

Recommended reading: Podcast: Legal Steps After a Cyber Attack

3. Adopt a Layered Security Strategy

Multi-Factor Authentication (MFA), endpoint detection, backups, segmentation—it’s not about any one tool. It’s about creating layers that slow attackers down, alert your team early, and allow recovery before real damage is done.

Recommended reading: The Silent Threat of Legacy Systems

4. Simulate Real-World Attacks

Don’t wait for a real breach to test your plan. Tabletop exercises and red team simulations reveal gaps while the stakes are still low.

5. Build Communication Protocols in Advance

M&S struggled with public messaging. Don’t make the same mistake. Prepare executive-approved messaging templates, assign spokespersons, and outline notification thresholds now.

6. Partner with Experts

Many internal IT teams don’t have the resources for full-scale response and recovery. That’s where Managed Security Service Providers (MSSPs) like One Step come in—to bring expertise and immediacy when every second counts.

Let’s talk: Schedule a Security Audit

 

Final Thoughts: Don’t Wait for a Crisis to Expose the Gaps

Here’s something I’ve talked about on the podcast and seen firsthand in countless breaches: it’s not just the initial attack that causes pain—it’s what comes after.

Double extortion ransomware has changed the game. It’s no longer just about locking up your systems and demanding payment for decryption. Today’s attackers go further—they steal your data before encrypting it.

Even if you pay to regain access to your systems, the nightmare may not be over. Hackers now threaten to publicly leak sensitive data unless you pay a second ransom. This tactic not only increases pressure on the victim but also amplifies reputational, legal, and regulatory risks.

We explored this in depth in one of our recent podcast episodes, where I sat down with a legal expert and a ransomware negotiator to talk about the legal, ethical, and tactical decisions executives are forced to make in those critical moments. If you haven’t listened yet, I highly recommend it:

Podcast: Legal Steps After a Cyber Attack

A higher level of preparedness is needed to protect against today’s cyber threats. You don’t just need a plan for getting back online—you need a roadmap for navigating public fallout, legal exposure, regulatory scrutiny, and extortion tactics that hit your business from every angle.

The M&S attack was a warning to every industry. If a global, resource-rich organization can be brought to its knees, so can any business that hasn’t prioritized cybersecurity at the top.

Modern cybersecurity isn’t about eliminating all risk—it’s about minimizing impact when the inevitable happens. That starts with leadership.

If you’re unsure where your incident response plan stands—or if you don’t have one at all—it’s time for a conversation.

 

Scott KreisbergBest regards,
Scott Kreisberg
CEO of One Step Secure IT