When Giants Fall: A Personal Encounter with UK's Retail Cyber Crisis

Last month, I found myself in what should have been a simple situation: buying a thoughtful gift for a dear friend who had just welcomed a new baby in the UK. Like many of us, I turned to the internet for convenience, starting with Harrods—surely they'd have something perfect for celebrating new life.

But when I navigated to their website, I was met with an unexpected message. Harrods had been hit by a cyber attack and had disabled many of their online services as a precautionary measure. Frustrated but undeterred, I pivoted to what I thought would be a reliable alternative: flowers. And naturally, I headed to M&S—a retailer I've come to love and trust for gifts over the years.

To my astonishment, M&S presented the same story. Their online sales had been completely halted due to a major cyber attack. What should have been a 10-minute shopping experience turned into a stark reminder of how vulnerable even our most established businesses have become in the digital age.

The scale of impact became clear as reports emerged: M&S's online shopping generates roughly £3.8 million in daily revenue—a stream now halted due to the ongoing shutdown, and the cyberattack has wiped over £1 billion from M&S' stock market value. This wasn't just an inconvenience; it was a business catastrophe affecting one of Britain's most iconic retailers.

What struck me most was my genuine surprise. Here were two retail giants—Harrods and M&S—businesses with presumably sophisticated IT infrastructure and substantial resources, falling victim to attacks that completely disrupted their operations. In an era where cyber threats are not just possible but probable, one would expect these establishments to remain not just ready and alert, but ahead of the curve for such eventualities.

Having led an audit team that managed controls around business operations at Mixta (ARM Real estate), I've seen firsthand how robust internal controls can make the difference between minor disruption and business catastrophe. The recent attacks on UK retailers serve as a sobering reminder that cyber resilience isn't optional—it's essential for business continuity.

For business leaders looking to strengthen their defenses against such disruptions, here are key control considerations:

1. Implement Comprehensive Backup and Recovery Systems Cyber incidents demand multiple layers of backup solutions—not just data backups, but entire system replicas that can be activated quickly. Regular testing of these backup systems is crucial; a backup that fails during a crisis is worse than no backup at all.

2. Conduct Frequent Penetration Testing Regular penetration testing by external security experts helps identify vulnerabilities before malicious actors do. This isn't a one-time exercise but an ongoing process that should adapt to evolving threat landscapes and business changes.

3. Establish Robust Access Control and Identity Management Implement multi-factor authentication, role-based access controls, and regular access reviews. Many successful attacks exploit weak or compromised credentials, making identity management a critical first line of defense.

4. Develop and Test Incident Response Plans Having a well-documented, regularly tested incident response plan can dramatically reduce recovery time and minimize business impact. This includes clear communication protocols, decision-making hierarchies, and predefined recovery procedures.

5. Invest in Employee Cybersecurity Training Human error remains one of the largest security vulnerabilities. Regular training programs help employees recognize phishing attempts, understand security protocols, and respond appropriately to suspicious activities.

6. Maintain Cyber Insurance and Legal Preparedness While not preventing attacks, comprehensive cyber insurance and established relationships with cybersecurity legal experts can significantly reduce financial impact and ensure compliance with regulatory requirements during incidents.

The M&S and Harrods incidents highlight an uncomfortable truth: many businesses still treat cybersecurity and internal controls as compliance exercises rather than core business functions. The financial impact—millions in lost revenue, billions in market value erosion—demonstrates that this approach is not just inadequate but financially reckless.

As someone who has spent considerable time in the audit and control space, I hope that business leaders and internal control managers finally accept that robust control frameworks are not administrative burdens but core supports of business activities. These controls are infinitely better to have in place pre-attack than to scramble to implement post-incident.

It's a principle as old as insurance itself: it's better to have comprehensive protection and not need it than to need it desperately and not have it. In today's interconnected digital economy, that wisdom has never been more relevant—or more urgent.

The next time I need to buy a gift for a friend anywhere - seeing as all of us in my various friendship groups are scattered across the world, I hope I can do so without wondering which major retailer might be offline due to a cyber attack.

But more importantly, I hope businesses learn from these incidents and invest in the unglamorous but essential work of building resilient, secure operations before the next attack hits.