Cyber Attacks on M&S & Co-op - A Wake-Up Call for Small Businesses

In April 2025, high-profile cyber attacks on Marks & Spencer (M&S) and the Co-op disrupted business operations and sent shockwaves across the UK retail sector. While these are large enterprises, their misfortune is a timely warning for small businesses —especially those with fewer than 100 users—not to underestimate cyber threats.

What Happened?

M&S was hit by a cyber attack reportedly linked to the group “Scattered Spider”, which led to disruptions in online orders, contactless payments, and stock levels in stores. The company saw a sharp market value drop—losing nearly £700 million.

The Co-op responded to suspicious network activity by shutting down part of its IT infrastructure, affecting its support and call centre services.

If multi-million-pound companies can be crippled, imagine the impact a similar attack could have on a small business.

Why Cybersecurity Should Be a Priority for Small Businesses

Small businesses are attractive to cybercriminals because they often lack the resources and policies that protect larger companies. Here’s why this matters:

• Operational risk: A ransomware attack could halt your business for days or weeks.
• Financial losses: Beyond paying a ransom, recovery costs can be crushing.
• Reputation damage: Customers may not return if their data is exposed.

How Small Businesses Can Strengthen Their Cyber Resilience

Here are practical, affordable steps every small business should take to protect themselves:

Strong Password Practices

• Use strong, unique passwords. The NCSC recommends using three random words with punctuation for security: e.g., Orange!Mountain#Laptop. Learn more .
• Regularly check if your credentials have been compromised via HaveIBeenPwned .
• Invest in an enterprise password manager like Dashlane to eliminate reused or weak passwords.
• Establish a clear password policy and train staff to follow it.

Multi-Factor Authentication (MFA)

Even strong passwords can be stolen. MFA adds another layer—like Face ID or a phone app—making it much harder for attackers to gain access.

Enable MFA for:

• Email accounts
• Remote access to on-premises systems
• Web-based CRM and financial software
• Admin portals and devices

Watch for Phishing & spoofing

Phishing remains the most common cyber threat, especially in small organisations with less training.

• Train staff to identify suspicious emails, texts, and calls .
• Set up a clear reporting process . Don’t penalise users for reporting mistakes.

If you think you’re under attack:

• Call Action Fraud : 0300 123 2040 (24/7)
• Report phishing emails to: report@phishing.gov.uk
• Forward dodgy texts to: 7726

Keep Devices and Software Updated

Always install updates—they often include security patches that block known vulnerabilities.

• Enable automatic updates where possible.
• Assign responsibility for updates across the business.
• Offer help to less tech-savvy team members.

Security Awareness Training

Even the best tools fail if your team isn’t prepared. Fortunately, free training is available:

• NCSC Cybersecurity Advice
• CyBOK Knowledgebase

For tailored training, reach out to your IT provider or consider affordable external options like FOS.net.

Join the Eastern Cyber Resilience Centre (ECRC)

The ECRC offers support, resources, and training to small businesses looking to improve their cyber defences. It’s a great first step toward building a more secure future.

Final Thoughts

Cyber attacks are no longer a distant threat—they’re happening right now, and small businesses are often the easiest targets. With basic protections like strong passwords, MFA, security training, and regular updates, you can dramatically reduce your risk.

Don’t wait until it’s too late. Cyber resilience isn’t a luxury—it’s a necessity. Get in touch with FOS Net today to discuss how best to secure your business.