May 2025
M&S, Co-op and now Harrods; a cyber security wake-up call!
In the past week (May 2025) we’ve seen the retail sector significantly impacted from cyberattacks. M&S is currently in a second week of being unable to take website orders, and The Co-op have also taken some IT services offline in response to cyber activity. This morning (May 2) Harrods has taken similar action.

Associate Director - Cyber
The quick succession of retail related cyberattacks will be cause for concern for those in the sector (and their customers), but in reality, this is something every business needs to tackle head on with practical, pragmatic and risk-based actions, to reduce their cyber exposure.
Don’t have time to read on? Check out how we can support your organisation’s cyber security.
Our Associate Director for Cyber Security, and Fellow of the Chartered Institute of Information Security, Stew Hogg, takes a look at the data behind security posture that may have lead to these attacks, and what organisations can do to prevent them becoming another statistic.
A wake-up call
The Government cyber agency, the National Cyber Security Centre, sparingly sends out commentary on cyberattacks, however the comments released yesterday by its CEO are a measure of the need for preventative action:
“These incidents should act as a wake-up call to all organisations.
“I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”
The message is clear: don’t stand still, wake up, and take appropriate measures now, not just to defend against a cyberattack but also to detect, respond and recover.
It’s not hard to see why this is needed. Last month the government released the results of the Cyber Breach Survey 2025 which outlines cyber impacts and maturity from a sample of around 2,000 businesses throughout the UK. It identified that 67% of medium sized and 74% of large organisations had been impacted by a cyberattack in the last 12 months. And while the importance of the topic is relatively high on the board room agenda, the average organisation still has a lot of ground to cover:
- Only 19% of organisations train their staff regularly in cyber security
- Only 29% of organisation have a document cyber incident response plan
- Only 14% of organisation consider risks within their supply chain
72% of boards may say the topic is important to them however the evidence to date is that this isn’t always translating into action.
What should you do
Make it a board room responsibility
Waterstons believes that cyber security is a board room responsibility and that, in addition to getting the basics right, you should ensure that cyber security is not a one-time project or strategic initiative with a start and end. Rather, it’s a capability that’s always monitoring risk, taking appropriate action and validating the effectiveness of your response plans.
Adopt NCSC advice and the Cyber Code of Practice
A great place to start is the recently-released Cyber Governance Code of Practice which outlines five steps all boards should take to ensure their cyber readiness.
1. Risk management - Robust risk management is needed to identify where action is required and in a prioritised manner, particularly as we know that resources are not endless.
2. Strategy – Do you know where you are and where you want to be? This may involve reference to best practice such as NIST or ISO 27001 which layout robust approaches to managing your security posture.
3. People – Do you have the right capability internally and via partners to ensure you can govern, identify, protect, detect, respond and recover from a cyber perspective? Are your staff trained to be your effective human firewall?
4. Incident response planning – Do you have a credible incident response plan that is documented, up to date and tested regularly? Are you partners in place to proactive spot cyber events and take action proactively?
5. Assurance – Do you check your cyber posture regularly to ensure it’s effective? This can be via formal audits and certification, but even a lightweight health check can be enough to spot valuable areas to drive continual improvement.
Establish strong partnerships
We’re stronger together. Organisations need to collaborate and share best practice to ensure that cyber criminals do not win. Find organisations you trust that can help you maintain a proactive approach when it comes to cyber security.
Find out more about the group responsible for the High Street Hacks here.
As an NCSC assured consultancy, we act as a trusted cyber advisors for businesses of all sizes, from all sectors. Whether you need 24/7/365 security monitoring, a full cyber security strategy, ISO accreditation, or just to understand your current posture – we have the experts to help. Check out everything we do here, or get in touch at cyber@waterstons.com
Let’s finish on the reminder from the NCSC CEO: “Let this be a wake-up call!”
Don’t be numb to yet another cyberattack in the media; take action to ensure you don’t become another cyber statistic.