The recent cyberattacks on M&S, Co-op, and Harrods were more than just security breaches — they served as urgent warnings for every IT leader charged with protecting digital systems. These weren’t random hacks; they were carefully orchestrated, multi-step campaigns that attacked the most vulnerable link in any cybersecurity framework: human error.

From these headline incidents, here are five critical lessons that every security leader must absorb — and act upon — immediately:

Here’s a harsh truth: the user is now your perimeter. You can pour resources into state-of-the-art firewalls, zero trust frameworks, or top-tier intrusion detection, but if one employee is duped into resetting a password or clicking a malicious link, your defenses don’t matter.

That’s exactly how these attacks succeeded. The threat actor group Scattered Spider, renowned for its social engineering prowess, didn’t need to breach complex systems — they simply manipulated an IT help desk employee into granting access. And it worked.

This underscores the need for security awareness programs that go far beyond once-a-year compliance videos. You must deploy realistic phishing simulations, hands-on attack drills, and continuous reinforcement. When trained properly, employees can be your first line of defense. Left untrained, they become the attackers’ easiest target.

Rule of thumb: You can patch servers, but you can’t patch human error. Train unceasingly

2. Third-party risk is not someone else’s problem — it’s yours

One of the most revealing takeaways: many of the breaches occurred not because of internal vulnerabilities, but through trusted external partners. For instance, M&S was breached via Tata Consultancy Services (TCS), their outsourced IT help desk provider.

This is not an outlier. According to a recent Global Third-Party Breach Report, 35.5% of all breaches now originate from third-party relationships, a rise of 6.5% over the previous year. In the retail sector, that figure jumps to 52.4%. As enterprises become more interconnected, attackers no longer need to breach your main systems — they target a trusted vendor with privileged access.

Yet many organizations treat third-party risk as a checkbox in contracts or an annual questionnaire. That’s no longer sufficient. You need real-time visibility across your entire digital supply chain: vendors, SaaS platforms, outsourced IT services, and beyond. Vet them with rigorous scrutiny, enforce contractual controls, and monitor continuously. Because if they fall, you may fall too.

Yes, data was stolen, and customer records compromised. But in the M&S and Co-op cases, the more devastating impact was business paralysis. M&S’s e-commerce system was down for weeks. Automated ordering failed, stores ran out of stock. Co-op’s funeral operations had to revert to pen and paper; supermarket shelves went bare.

Attackers are shifting tactics. Modern ransomware gangs don’t just encrypt files — they aim to force operational collapse, leaving organizations with no choice but to negotiate under duress. In fact, 41.4% of ransomware attacks now begin via third-party access, with a clear focus on disruptive leverage.

If your operations halt, brand trust erodes, customers leave, and revenue evaporates. Downtime has become as critical — or more so — than data loss. Plan your resilience accordingly.

Hope is not a strategy. Far too many organizations have incident response plans in theory, but when the pressure mounts, they crumble. Without rehearsal, your plan is fragile.

The M&S and Co-op incidents revealed how recovery is agonizingly slow when systems aren’t segmented, backups aren’t isolated, or teams lack coordination. Ask yourself: can your organization continue operations if your core systems are compromised?

Do your backups adhere to the 3-2-1 rule, and are they immutable?

Can you communicate with staff and customers securely, without alerting the attacker?

These aren’t hypothetical scenarios — they’re the difference between days of disruption and a multi-million loss. Tabletop simulations and red teaming aren’t optional; they’re your dress rehearsals for the real fight.

Once a breach occurs, your public response is as critical as what you do behind the scenes. Tech-savvy customers see when services are down or stock is missing. If you stay silent, rumor and distrust fill the void.

Some companies attempted to withhold information initially. But Co-op CEO Shirine Khoury-Haq chose to speak up, acknowledged the breach, apologized openly, and took responsibility. That level of transparency — though hard — is how you begin to rebuild trust.

Customers may forgive a breach; they will not forgive a cover-up. You must communicate clearly, swiftly, and honestly: what you know, what steps you’re taking, and what those affected should do to protect themselves. If you don’t control the narrative, attackers or the media will. And regulators will be watching — under GDPR and similar regimes, delayed or misleading disclosures are liabilities, not discretion.

Cybersecurity is no solo sport — no organization can outpace today’s evolving threats alone. But by absorbing lessons from these prominent breaches, by fortifying your people, processes, and partners, we can elevate the collective defense.

Cyber resilience is not a destination but a discipline — in our connected world, it’s the only path forward.