The most useful lesson from the Marks & Spencer and Co-op cyber attacks of 2025 is also the least comfortable one: the weakness was not just malware. It was process. Public reporting linked the M&S incident to social engineering against a third-party IT service desk, where attackers persuaded someone to reset access. From there, the disruption became severe. M&S suspended online clothing and home orders for 46 days, warned of a roughly £300 million operating profit impact for 2025/26 before mitigation, and became part of a wider retail cyber event that the UK Cyber Monitoring Centre classified as a Category 2 systemic incident, with estimated total financial impact across affected parties of £270 million to £440 million.
If you run a smaller business, there are 2 takeaways. First, your IT provider, helpdesk, cloud platforms and suppliers who hold your data are part of your attack surface. Second, you are probably part of someone else’s supply chain, and larger customers are likely to ask harder questions about your cyber controls.
This article explains what to do about both in plain terms.
What actually happened
A short, careful version. In spring 2025, M&S suffered a major cyber incident that disrupted contactless payments, click and collect and online ordering. The incident was publicly linked to social engineering, compromised credentials and ransomware activity, with reporting connecting the attack to Scattered Spider-style techniques and DragonForce ransomware.
Co-op was hit shortly afterwards and proactively shut down parts of its IT environment to contain the damage. Harrods also experienced disruption in the same period. In July 2025, the National Crime Agency arrested four people in connection with the attacks on M&S, Co-op and Harrods.
The important point for smaller firms is not the brand name. It is the method. Attackers did not need a cinematic exploit. They needed a support process that could be persuaded to do something routine.
Why this matters to smaller firms
Two questions matter.
The first is: could your IT provider be the way in? In principle, yes. That does not mean outsourcing is unsafe. It means the provider’s verification procedures, access controls and incident response process matter. This is where the wider picture in the UK Cyber Security and Resilience Bill and good IT service management becomes practical. A capable managed it support services company should welcome these questions.
The second is: do your customers care about your security yet? Increasingly, yes. The NCSC has encouraged organisations to use Cyber Essentials as a supplier assurance tool, and its Supplier Check tool allows businesses to verify whether suppliers hold Cyber Essentials or Cyber Essentials Plus. The Government’s Cyber Security Breaches Survey 2025/26 found that only 15% of businesses reviewed risks from their immediate suppliers, but larger firms are more likely to do so. This is why IT compliance matters even for businesses that do not think of themselves as compliance-led.
Mapping what you already have
Before writing a policy, list every external party with access to your systems, data or premises. Include your IT provider, payroll provider, accountant, marketing agency, cloud software vendors, payment platforms, maintenance contractors and anyone with admin access.
Ask 3 questions for each supplier:
What would it cost us if they were down for a week?
What would it cost us if our data was stolen through them?
What would it cost us if an attacker used their access to reach us?
| Supplier type | Typical risk | Sensible minimum |
|---|---|---|
| Outsourced IT or helpdesk | Privileged access and social engineering risk | Cyber Essentials Plus, access controls and incident notification clause |
| Cloud or SaaS holding customer data | Data loss and account takeover | Cyber Essentials or ISO 27001, backup clarity and data location details |
| Payment or finance provider | Fraud and regulatory exposure | MFA, segregation of duties and FCA registration where relevant |
| Marketing or professional services with logins | Email or platform compromise | MFA, data retention rules and offboarding process |
| Contractor with physical access | Insider or access risk | Visitor logging, access policy and key control |
The point is to rank suppliers by what they can reach, not by how much you spend with them.
Five questions worth asking your IT provider
The M&S service desk story makes these questions essential.
How do you verify someone requesting a password reset or access change?
Is engineer access to our systems permanent, or granted only when needed?
What MFA do you require for your staff and for ours?
How quickly would you notify us if you were compromised?
Do you hold Cyber Essentials Plus, ISO 27001 or another recognised certification?
The first question matters most. A service desk that resets passwords based only on a convincing phone call is vulnerable. A desk that requires a callback to a known number, manager approval or a structured challenge process is harder to fool. This is the same principle behind anti-phishing controls, anti-phishing basics and a clear create an anti-phishing policy process. As an anti phishing company, we keep coming back to the same point: filters reduce volume, but verification stops targeted attacks.
For background, how to spot a phishing email and business email compromise cover the same human-layer techniques attackers use against helpdesks.
What to do when you are the supplier
If you supply larger or regulated businesses, expect tougher questionnaires and contract clauses.
First, consider Cyber Essentials certification. It is the recognised UK baseline, and UK organisations with turnover under £20 million that certify their whole organisation can access included cyber liability insurance. The case is set out in why your business should become Cyber Essentials accredited.
Second, clean up the basics: password best practices, device control through Microsoft Intune, detection through why EDR matters, endpoint hardening steps, endpoint security for remote teams and tips for securing your small business network.
Third, be able to demonstrate your controls. Regular network penetration testing helps. The reasoning is in network penetration testing explained, the importance of penetration testing in cybersecurity, how often you should run network penetration testing, pen testing versus vulnerability scanning and common network vulnerabilities and fixes.
Plan as if you will be hit
A good plan covers more than IT. It should include communications, customer notifications, payment workarounds, paper-based fallback processes and clear decision rights. Read why your business needs a business continuity plan and the small business guide to ransomware.
Backups decide whether you can recover. The principle is in cloud to cloud backup, the risks are covered in common cloud backup mistakes, and the case for Microsoft 365 backup is straightforward. Teams on Google should see Google Workspace backup. As a cloud backup company london businesses rely on, we keep saying the same thing: test the restore, not just the backup.
Watch for credentials surfacing where they should not. Dark web monitoring explained covers the basics, what to do if your company credentials appear on the dark web is the playbook, and dark web monitoring versus breach monitoring explains the difference. Our dark web monitoring london service gives that early signal.
Cross-border and multi-site realities
Supply chain risk gets harder across borders. Different offices use different suppliers, and local relationships may not be visible to the central team. Map suppliers country by country and apply consistent minimum standards.
We support this through european support services and global it support. If you are consolidating systems, our platform migration london projects can clean up supplier access at the same time. Our consulting team can scope the work, and our security services sit alongside the full range of services.
If you do not want to carry the load internally, outsourcing your IT to an MSP can help, alongside the case for why businesses should consider an MSP for their IT needs.
Frequently asked questions
My business is much smaller than M&S. Does this really apply?
Yes. Social engineering works against small businesses too, and larger customers increasingly expect suppliers to prove basic controls.
Was the M&S breach really caused by an outsourced provider?
Public reporting linked the initial route to social engineering of a third-party IT service desk. The lesson is about verification procedures, not that outsourcing itself is unsafe.
Should I bring all IT in-house?
Not necessarily. In-house teams can be social-engineered too. The better question is whether access, verification and incident response are strong enough.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed scheme covering five core technical controls. It is increasingly used as a supplier assurance baseline, and Cyber Essentials Plus adds independent technical verification.
How do we start mapping supplier risk?
List every supplier with access to your systems, data or premises. Rank them by the impact if that access was abused, then ask about certification, identity verification, MFA and incident notification.
Are we likely to be targeted if we are not a big retailer?
You may not be targeted in the same way, but ransomware-as-a-service and supply chain attacks make smaller firms attractive targets or stepping stones.
A sensible next step
If you do one thing after reading this, list every external party with access to your systems and data, and tier them by risk. If you do a second thing, ask your IT provider the five questions above. If you do a third thing, decide whether Cyber Essentials is your next certification target.
If you would like help mapping supplier risk, running provider conversations, or getting ready for the questions bigger customers will ask, speak to Northern Star. We will help you tighten the chain so that the lesson of M&S and Co-op is one you learn for free, not the hard way.
