The headlines are loud and clear: cyberattacks against major retailers are no longer a distant threat. They’re a daily reality. Recently, two well-known UK retailers, M&S and Co-op, were hit with major cyber incidents, causing everything from operational chaos to significant financial losses. While these attacks serve as a stark warning, they also offer a crucial lesson. In today’s digital landscape, reactive security is a losing game. The new motto for survival is “assume breach.”
So, what exactly is happening, and why should every business leader—from a small startup founder to a Fortune 500 CEO—pay attention?
The New Threats: Identity-Based Attacks and SIM Swapping
The most alarming detail from the recent breaches is the rise of identity-based attacks. Threat actors are no longer just looking for weak network firewalls; they’re targeting your employees.
- SIM Swapping: The attack on M&S and Co-op leveraged a tactic called SIM swapping. This involves attackers impersonating an employee to convince a mobile carrier to transfer their phone number to a new SIM card. Once they have control of the phone number, they can bypass two-factor authentication (2FA) and gain access to a company’s systems. This method is alarmingly effective and on the rise, with a staggering 1,055% increase in 2024.
- Human Vulnerabilities: The data from Expel’s Q1 2025 report confirms that identity-based attacks are the most common threat, making up 66.2% of all security incidents. M&S even confirmed that human error was the root cause of their breach, proving that no amount of technology can protect you from a lapse in employee security.
- ClickFix Malware: Adding to the threat landscape are new malware techniques like ClickFix, where fake pop-ups (like fake CAPTCHA or QR codes) trick users into installing malware themselves. This shows how attackers are exploiting the weakest link in any organization: the human element.
These attacks highlight a critical shift: attackers are finding new ways to get in, often by tricking users or exploiting common, easily overlooked vulnerabilities in a company’s own network.
The Proactive Playbook: From Reaction to Resilience
The difference in outcomes for M&S and Co-op is a masterclass in modern cyber defense. While both were attacked, Co-op’s quick, pre-planned response to take their systems offline saved them from much worse. This demonstrates the power of a proactive mindset.
Here’s what your business can do to build resilience:
- Enforce Strong Security Hygiene: This is the baseline. It means mandating the use of secure password managers for all employees and providing regular training on phishing and social engineering. It’s about making your organization a hard target, so attackers are more likely to move on.
- Bolster Your Defenses from the Inside Out: Beyond external threats, businesses must address internal vulnerabilities. This means regularly patching and configuring network appliances like firewalls and VPNs, which are often exploited as “backdoors” in mass-scanning attacks.
- Invest in Incident Response: As a former Microsoft employee once said, you must “assume breach.” This means preparing for the inevitable. Businesses should have a clear cybersecurity playbook that includes:
- Managed Detection and Response (MDR): Services that can quickly identify and neutralize suspicious activity.
- Tabletop Simulations: Running simulated cyber incidents with key stakeholders (from IT to finance and PR) helps a company practice its response, identify gaps, and build a “response muscle” before a real crisis hits.
The cost of inaction is simply too high. M&S is facing an estimated £300 million loss in profits from a single breach. A proactive plan, while requiring upfront investment, is a strategic priority that saves millions in the long run.
The Takeaway
Cybersecurity is no longer just a technical issue; it’s a fundamental business concern. The latest data shows that attackers are increasingly targeting identity and human vulnerabilities. By shifting from a reactive “if it happens” to a proactive “when it happens” mindset, businesses can build a resilient defense that protects their reputation, their finances, and their future.
Is your company prepared for a cyberattack? What’s the first step you’ll take to shift your security from reactive to proactive? Share your thoughts below!
