‘In wake of the M&S attack, let’s keep talking about cyber risk, resilience and solutions’

After a tumultuous few weeks for Marks & Spencer, all eyes turned to the retailer this week as it revealed its full-year results. Profit before tax and adjusting items was up 22.2% at £875.5m for the period, the highest level in over 15 years.

The recent cyber attack in some ways appeared even more cruel and brutal when you consider the stellar achievements of M&S in recent years, all brought about by hard-working colleagues. It risked undoing so much good at the nation’s much-loved retailer, and the effect will be felt for some time yet, on top of an estimated £300m cost.

Chief executive Stuart Machin handled the situation perfectly. Aided by a well-honed comms team, he provided an honest, clear explanation of what had happened and why. He was also candid in his summary of the impact on colleagues and had practical, unpatronising advice to the wider industry. In short, it was a well-communicated PR masterpiece.

What is clear is that no business, irrespective of tech solutions, risk assessments, cyber attack simulations or protocols (as M&S had in place) can be immune to the risk. Given extraordinarily difficult circumstances, M&S has handled the situation impeccably.

“Pre the attack on M&S, getting people to engage with cyber security was like pulling teeth”

There is good that will come out of this. I’ll be honest in saying that before the M&S case, any content on cyber security that the Retail Week team has published has often gone largely unnoticed.

To be frank, no matter what the headline, or how important we said the issue was, people just view the issue as a little boring. Let’s just say the sound of clicks on cyber security-related analysis were hardly deafening. Likewise, the tumbleweed rolled when we put out requests for retailers to speak on the very real issue at our events.

Pre the attack on M&S, getting people to engage with cyber security was like pulling teeth.

The way M&S has handled this disaster has made cyber security less taboo. The entire country, it seems, now knows that this can hit even the biggest of brands. It has in a sense democratised the nation’s awareness of the issue.

It’s also rallied the industry. Retail may be competitive, but it’s also supportive. As Machin said this week: “So many chief executives have called me over the last few weeks, going through similar stories in their businesses, albeit maybe not as public as ours. I really appreciated them getting in touch, sharing their experience, advice and offering support.”

“Let’s keep rallying around those affected. Because the industry doesn’t need another challenge right now”

This statement also cleverly highlights the extent of the issue and the fact that M&S is far from alone. Cases are very often swept under the carpet in the bid for damage limitation. One fashion retailer I know of was hit and its data held to ransom. The hackers in question had £1m wired to their account in a matter of days, and such was the retailer’s keenness to throw cash at the problem and move on with its retail life. And who can blame them? Perhaps that £1m price tag would have been a lot heftier if they’d tried an alternative route.

Looking ahead, cyber attacks are a very real and all-too-common issue that require greater levels of candour in order to find solutions. M&S has said it will use the disruption to bring forward investment. Among its plans to boost resilience include accelerating infrastructure upgrades and boosting network connectivity. It can afford to weather the storm. But similar attacks may prove deadly for smaller brands with less cash in the bank, less experienced leaders in the business and less operational resilience.

So at the very least, let’s keep the issue alive, let’s keep talking about risk, resilience and solutions. Let’s ensure entire workforces are aware and everyone is accountable. Let’s keep rallying around those affected. Because the industry doesn’t need another challenge right now.

For the record, the number of clicks on cyber security content on retail-week.com in the last few weeks has been extremely healthy. It will be interesting to see if, once the dust thrown up by the M&S attack has settled, that continues.