Nick Denning, CEO of Diegesis, discusses the lessons the public sector can draw from recent cyber attacks on major retailers, emphasising the importance of viewing these incidents not as isolated accidents but as actionable case studies
Recent cyberattacks targeting M&S, Co-op, and Harrods in the retail sector continued to disrupt operations and make headlines weeks after being discovered. How should the public sector view these incidents and learn from them? Nick Denning, CEO of Diegesis and Policy Monitor, concurs with the sentiment expressed by Richard Horne, CEO of the UK National Cyber Security Centre (NCSC). It is a delusion to suggest that successful cyberattacks are ‘accidents’ befalling ‘unlucky’ organisations. Instead, they are because organisations fail to implement immediately the robust advice of the NCSC. These attacks are not someone else’s misfortunes but rather case studies to absorb and act on as quickly as possible.
Cyberattacks are increasing in number and severity in all sectors
At a [conference in early May] [https://www.ncsc.gov.uk/speech/cyberuk-2025-ncsc-ceo-keynote-speech], Richard Horne revealed that the NCSC had managed double the number of “nationally significant” cyber incidents between September 2024 and May 2025 compared to the same period in the previous year. The definition of nationally significant cyber events are those with a substantial impact on the UK, including incidents that affect medium-sized organisations or which pose a considerable risk to large organisations or the public sector.
From the different methods of cyberattacks, Horne described ransomware as “probably the most pressing threat.” In a consultation launched in January, the UK Government proposed banning public sector and critical infrastructure organisations from making ransomware payments as a potential means to end or mitigate the effects of attacks. Horne stated: “We must see a future together where paying ransoms is no longer considered an option, where the business model for the attackers no longer works.”
What are the cyber lessons from the M&S hack?
What can the public sector do if cyber threats are on the rise and the ‘option of last resort’ – paying up – is no longer available? Precisely what happened in the attack on M&S is still emerging, but the key areas coming into focus are:
- Organisations are connected like never before. In the M&S case and other attacks on the NHS and police forces, the entry point was via third parties that share systems and data with the main target. This, together with home working and employees using their own devices to access business systems, means that the ‘attack surface’ extends far beyond an organisation’s boundaries.
- Often, the strong security provided by the IT department is insufficient if employees can simply be targeted to willingly share their user IDs and passwords. Updates on cyber threats and training for employees and partners should be an ongoing process, not a one-time activity.
- Cybersecurity defence products are relatively mature, and it is viable to provide cost-effective protection against most threats by implementing NCSC advice. A failure in any organisation to take effective protection measures should be considered recklessness.
- Waiting to work out how to respond until after an attack happens is not acceptable. A crisis plan, including communications and technical responses, needs to be prepared and regularly updated. This plan should take into account that any or all of the organisation’s IT systems may be unavailable or accessible to attackers, including email.
What can you do, and who can help?
The first step is to establish a baseline and identify the assets within the business that are critical to day-to-day operations. Technical people are rarely best placed to understand overall strategic objectives, and this is where the executive team needs to step up and guide the prioritisation process. Based on these priorities, technical staff can begin to identify which parts of the digital estate are critical to achieving top-level objectives. This could be information and data systems, networks or other services provided in-house or by suppliers and partners.
The government-endorsed Cyber Essentials (CE) scheme was designed to help protect UK organisations from the most common cyber threats and provides a good framework to start establishing a sound cyber defence posture. CE sets out basic technical controls for organisations to use, which are then annually assessed. Undertaking CE in conjunction with assessing the whole technical estate will help to identify assets and may be critical to providing key services.
Cyber Essentials (CE) involves self- assessment, so advancing to the next level of CE+ by engaging an external assessor is wise. Being aware of IASME assurance and ISO 27001, and striving to comply with as many of those requirements as possible is also to be lauded. Monitoring compliance against those standards, even if they are not fully achieved, provides excellent support to the business’s risk assessments from time to time.
Identify and address vulnerabilities
All systems contain vulnerabilities. Bad actors are skilled at identifying and exploiting vulnerabilities. This makes vulnerability management a critical ongoing exercise for organisations, and there are tools available to help with this cyclical process.
Vulnerabilities can be addressed by changes to policies, procedures and behaviours covering Identification, Assessment, Prioritisation, Remediation, Monitoring, and Reporting. For example, IT teams should be incentivised to regularly apply system updates and security patches even if they could disrupt day-to-day operations. The impact of not being fully up to date can be significantly worse.
The 3-2-1 backup rule is a basic strategy to help an organisation get back to full or at least partial operations after an attack by rolling back to a ‘safe’ version of systems and data. Keep three copies of data, storing these using two different methods/types of media, and hold one copy remotely and offline. Even better is a backup strategy based on immutable layers, allowing an organisation to recover to any historic point in time and on a file-by-file basis. AWS S3 backup provides this, leveraged by many backup providers.
Email protection
One of the most significant ‘routes in’ has always been via email, so using email filtering technologies is a must. Diegesis uses Mimecast. When our penetration testers analyse us, spoof emails don’t get through!
Monitoring and feedback
How effective are your defences? Where are the weakest points in them? Without an effective monitoring system, you are flying blind. Include in your architecture dark web trawling to check that none of your data is being offered. The ability for employees to easily report incidents and push summary data from each defence technology to a central risk dashboard for the Head of Security are excellent mechanisms to provide oversight of all areas identified in the CE and IASME standards.
Training and awareness
It’s the people! Maintaining a high level of awareness is essential to help people stop and think.
Multi/Two Factor Authentication (MFA/TFA)
A military approach demands strength in depth. Penetrating the first line of defence can be achieved by surprise. Containing the attack requires multiple layers of protection, and MFA/TFA is critical. All public-facing systems should have TFA enabled, yet many organisations are ignoring this ‘because it would be too complicated’ or ‘would impose too great a load on our support desk.’ Such are statements of lack of care!
Make sure your communications plan is ready… and available offline
After a cyberattack, silence and secrecy are not options. Communications are being viewed as an area where M&S has performed well during the recent attack.
Today’s social media age means that ‘fake news’ and speculation can rapidly spread, leading to an organisation losing control of the narrative with its employees and the public. M&S has put forward senior executives to communicate utilising multiple channels such as the company website, emails to stakeholders, press updates and social media.
Regular information on how the public might be impacted and what they can do to protect themselves can help keep the majority onside. Cyberattacks are a given. Crises are almost inevitable. Lasting reputational damage is not. Never underestimate the power of saying sorry.
Visit www.diegesis.co.uk and www.policymonitor.co.uk for more information.
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International.
