In addition to the loss of revenue due to the impact on operations and the resulting potentially significant reputational harm, regulatory fines may also be issued where it is established that a business has failed to take adequate steps to prevent these incidents and protect their data.
These retailers are not alone and other large UK businesses including Arnold Clark, British Airways and Boots have fallen victim to cyber-attacks. Although these are often the reports which make the headlines, it is worth highlighting that cyber incidents do not only impact large businesses and it is often smaller businesses, which do not have as robust security measures, that are an easier target than large organisations.
In a landscape where the methods used by cyber criminals are constantly evolving, there are some key steps which businesses can take to ensure that they are protected and to enable them to swiftly deal with and mitigate the impact of any possible incident, for example:
- Security measures such as multi-factor authentication, encryption and implementing automatic updates (including applying security patches promptly upon release). These are relatively low-cost protections but are often overlooked in favour of more advanced security measures. On 13 May 2025, the Information Commissioner's Office (ICO) published detailed updated guidance relating to the use of encryption to assist organisations in complying with their security obligations. The ICO's guidance makes it clear that encryption is strongly recommended when transferring data via removable media such as USBs, sending personal data via email, storing data on mobile devices and using cloud services.
- Enhancing monitoring against unauthorised account access or use including looking for suspicious activity or unusual behaviour.
- Reviewing helpdesk password reset processes, including how the helpdesk authenticates staff members' credentials before resetting passwords, especially those with escalated privileges and ensuring staff are reminded of the type of information which will be requested from an IT helpdesk when actioning password resets.
- Carrying out regular internal and/or external cybersecurity risk assessments, audits and where possible, network penetration testing. As technology is continually evolving, carrying out regular assessments is a practical means of ensuring that any possible vulnerabilities are known and can be protected against.
- Segmentation or segregation of networks where possible to ensure that should any malicious access occur, the incident can be isolated and operations can be restored promptly.
- Ensuring that business continuity plans are regularly reviewed, updated and tested to ensure that they meet business needs and reflect the up-to-date operational position. Often a detailed analysis is carried out for the purpose of producing a business continuity plan at the outset of its implementation but if those plans are not then subject to continual review, they can quickly become out of date.
- Obtaining cyber insurance coverage. The costs of obtaining cyber insurance are understandably increasing rapidly however, having proper coverage in place may be invaluable in the event of an attack to cover the financial impact on the business and depending on the nature of the business, this can be a key requirement of many customers and partners.
- Knowing your data is key to ensure that a business knows what information is held and where it is held to establish whether it is likely to have been accessed or is accessible to cybercriminals in terms of looking to protect against or deal with the impact of any potential attack.
- Continuously backing up data to a secure location so that it can be retrieved in the event of a compromise to the working systems.
- Knowing your contracts is another element which is often overlooked in the context of a cyber incident. Many contracts may result in liability to businesses where their operations are significantly impacted by a cyber incident. Understanding the relevant liabilities to customers, suppliers or other third parties in the context of cyber incidents and ensuring that the contracts properly reflect where those liabilities start and end, is arguably crucial to minimising the impact.
- Ensuring that there are adequate staffing levels across holiday periods. Cybercriminals look for opportunities to attack where an organisation may be less well equipped to deal with the aftermath or are otherwise unable to identify an attack in real time, allowing greater access to wider parts of the network. This has been seen in practice with M&S, the Co-op and Arnold Clark where these incidents occurred over Easter/Christmas public holiday periods.
- Training staff on password security and common tactics used by cybercriminals such as phishing (suspicious emails encouraging you e.g., to click a link), smishing (the text/WhatsApp equivalent of phishing) and social engineering (posing as a trusted contact e.g., a colleague to retrieve information) and to know what to do in the event of a cyber incident to ensure that proper internal procedures are followed.
These examples are reminders that fairly simple security measures can go a long way towards protecting the security of data as well as avoiding regulatory action and while, unfortunately, there is no fail-safe way to prevent these sorts of cyber incidents from happening, implementing some or all of these steps is an effective way to demonstrate that organisations are handling data securely and transparently.
If you wish to refresh your policies or staff training or conduct an audit of your data practices, please get in touch with our Data Protection and Cybersecurity team.
