The head of the National Cyber Security Centre (NCSC) has warned that businesses are not doing “nearly enough” to protect themselves from cyber threats, following a major cyberattack on retailer Marks & Spencer.
Richard Horne, chief executive of the NCSC, said there is a “widening gap” between the rising threat of cyberattacks and organisations’ readiness to defend against them.
Writing in The Times of London, Horne urged businesses to act immediately on the NCSC’s publicly available security advice.
“This is effective risk management, and any business leader who thinks they may be exempt from cyber risks should think again — and implement our advice immediately,” he said.
The warning comes as Marks & Spencer confirmed that the expected cost of the cyberattack, which took place around the Easter weekend, is around £300 million.
The breach forced the retailer to suspend online orders and led to the loss of customer data.
Speaking to reporters on Wednesday, Marks & Spencer Chief Executive Stuart Machin said hackers had exploited a third-party vendor after a case of “human error.”
“We didn’t leave the door open, this wasn’t anything to do with under-investment. Everyone is vulnerable. For us, we were unlucky on this particular day through some human error,” he said.
The high street retail giant said disruption to online shopping could continue into July, adding it is taking proactive measures to minimise the disruption for customers.
Breaches Surge, Call Centres Vulnerable
Official figures reveal that half of all businesses and 66 percent of high-income charities reported experiencing a cybersecurity breach or attack in the past 12 months.The rate is even higher among medium-sized businesses (70 percent) and large businesses (74 percent).
Daniel Teacher, CEO of accounting and finance IT security firm T-Tech, has noted that organisations with extensive customer service operations are especially susceptible to fraudulent phone calls.
This vulnerability arises because call handlers, trained to be helpful, can be manipulated by attackers using targeted tactics to reset multifactor authentication for impersonated individuals.
Teacher also stressed the need for managed security, where organisations can quickly spot and respond to breaches.
“With M&S, they were in the system for days before it was detected,” he said.
Cyber Essentials and Business Resilience
The NCSC has stressed that the cyberattacks on retailers “should act as a wake-up call to all organisations.”The NCSC is urging companies to adopt its Cyber Essentials programme, a government-backed certification scheme designed to help companies guard against common threats such as malware, phishing, and hacking.
The scheme is meant for any organisation regardless of size or sector, but the NCSC particularly recommends it to small- and medium-sized enterprises, many of which may lack in-house cyber expertise but remain vulnerable to attacks.
Lindsay Hill, CEO of Manchester-based cybersecurity firm Mitigo, said the code isn’t a legal requirement yet, but the government may make it mandatory later if not enough businesses follow it.
Other measures to strengthen the UK’s cyber defences will be laid out in the Cyber Security and Resilience Bill.
The bill, to be introduced in Parliament this year, aims to strengthen the nation’s cyber defences by expanding current regulations and mandating more detailed reporting of incidents, including ransomware attacks.
M&S Profits Rise Despite Breach
Marks & Spencer is still struggling with the impact of the cyberattack. The retailer expects increased stock management costs in the second quarter.The retailer reported a stronger-than-expected performance for the year ending in March, posting an adjusted pre-tax profit of £875.5 million, up 22.2 percent on the previous year.
Group revenues rose by 6 percent to £13.8 billion, driven by an 8.7 percent increase in food sales and a 3.5 percent rise in fashion, home, and beauty sales.
