A cyber attack has forced FTSE 100 retailer Marks and Spencer to stop taking online orders from last Friday (25 April). The incident, first identified a week ago, remains unresolved, and has prompted a £700m drop in M&S’ stock market value, the Financial Times reported yesterday (28 April).
Online sales reportedly account for roughly a third of the retailer's UK clothing and household goods sales: nearly £1.3bn of M&S’ £3.9bn clothing and homeware sales came from online last year, according to the BBC.
It’s important for HR to help employers safeguard against such attacks, explained Anastasia Shamgunova, HR director, regional network, for the online security firm Kaspersky. She told HR magazine: “With nearly two thirds of cyber incidents caused by a human error, the role of HR teams in creating an environment that would enable employees to develop and boost their cyber skills is acute.”
Read more: Lock it in: How to close the cybersecurity training gap
Education is key to protecting businesses, Shamgunova added. She advised HR to team up with other departments, to implement comprehensive and wide-ranging training. “HR teams, together with other relevant departments, should adopt a systematic approach to cyber-education,” she said, “carrying out regular assessments of the level of cyber literacy, and implementing training that would fill gaps in their knowledge.
“Efforts should be focused both on non-IT staff members and technical teams, as our findings show that IT and IT security professionals are not above causing cyber incidents: surprisingly, IT workers are shown to be more of a risk than non-IT staff.”
Matt Eustace, data protection officer for the tech company Aiimi, agreed that training must be part of the solution. Speaking to HR magazine, he said: “The M&S breach is a perfect opportunity for other companies to take a look at what went wrong and use it as a teaching moment for their own teams. M&S is a well-loved brand, and many employees are also customers, so they can really relate to the impact.
“This is a great chance to show staff what to look for if customer data is breached, like phishing attempts or fake password reset emails.”
M&S released a statement on Friday, in a move that seemed aimed at reassuring customers; it read: “As part of our proactive management of a cyber incident, we have made the decision to pause taking orders... We informed customers on Tuesday that there was no need for them to take any action. That remains the case, and if the situation changes we will let them know.”
Read more: One in five employees have no cybersecurity training
M&S isn’t the only major brand to face serious service disruption within the last six months. In January, two banks, Lloyds and Barclays, suffered high-profile outages due to IT issues. In the same month, the British Museum was hacked. Last winter, the supermarket Morrisons experienced significant disruption, and Transport for London suffered a cyber security incident.
‘Shadow AI’ could be making things worse, Eustace suggested: “The rise of shadow AI – where staff use unapproved tools because they don’t know what’s allowed, or because they aren’t offered good alternatives – is creating new risks. Those that are investing in strong, AI-supported governance models are moving in the right direction. But overall, there’s still a lot of work to be done to make security a true business priority, not just something that keeps your IT team up at night.”
On the subject of when to call in specialists, to help organisations with cybersecurity, Eustace advised the sooner the better: “Specialist support should be brought in much earlier than many organisations think. Waiting until an incident has already occurred is too late. Prevention is always more effective, and less costly, than cure – both financially and reputation-wise. Experts, whether internal or external, should be involved when designing systems, setting data governance frameworks, and introducing emerging technologies like AI. They can spot gaps and see the bigger picture, helping manage risks properly before they escalate.”
Where bringing in specialists is cost-prohibitive, Shamgunova suggested using automated solutions. She said: “Bringing in specialists to conduct dedicated training is always a good idea, but not all companies might have resources for that. Automated awareness solutions might be a more flexible and affordable option for smaller organisations.”
