The recent breach at Marks & Spencer didn’t stem from a technical failure. It began with a phone call.

Attackers impersonated internal engineers and convinced help desk staff to reset passwords and disable multi-factor authentication. That gave them the foothold they needed to access domain credentials, escalate privileges, and ultimately deploy ransomware. Stores reverted to manual operations. Online sales stopped.

For a business built on digital efficiency, the disruption was immediate and serious.

Human error at the heart of it

This wasn’t about gaps in tooling. MFA was active. Security budgets had increased substantially. Yet one moment of misplaced trust was all it took to compromise the system.

That’s not a flaw in the technology; it’s a flaw in how the process was executed.

Social engineering is designed to exploit people under pressure. It preys on urgency, familiarity, and the assumption of legitimacy. And when processes allow for that to happen, for example, when password resets or access changes don’t require verification beyond a single human interaction, the entire security model can be undermined.

Supply chains are now attack surfaces

This breach didn’t originate inside M&S. It started with a smaller third-party contractor. That’s significant. As internal systems become more secure, and in this case the door was firmly shut, threat actors are increasingly targeting suppliers, vendors, and partners. A smaller business with privileged access and less mature security makes for an ideal access point.

This is no longer just a vendor management issue. It’s a question of access governance. Which third parties can touch your systems, and under what conditions? How are their credentials managed? And critically, how is their activity monitored?

Where M&S got it right

What’s worth noting, and often overlooked, is how M&S responded. Systems were isolated. Operations reverted to backup processes. Communications were managed. While not perfect, the company followed a plan. Many organisations don’t even have one.

Too often, the real damage in a breach comes not from the attack itself, but from the lack of coordination afterwards. That includes delayed disclosures, unclear roles, or even internal confusion over how to restore systems safely. M&S, for all the headlines, showed what it looks like to act on a well-rehearsed plan.

That’s a lesson in itself.

What businesses need to take away

The lessons here extend far beyond the particulars of the breach. At their core, they reinforce the idea that cybersecurity is not a matter of investment alone, but of clarity and preparedness.

Organisations must begin by reinforcing basic access procedures. A password reset or privilege escalation should never rely on a single interaction. There needs to be structured verification. This can happen through independent confirmation, callback procedures, or internal controls that can’t be overridden under pressure.

Equally important is the need to scrutinise third-party access. It’s not enough to assess vendors once and move on. Access should be reviewed regularly, not just technically but contractually, and every external relationship should be treated as a potential risk vector.

This ties directly into the question of preparedness. Every business, regardless of size, should have an incident response plan that clearly defines roles, communication channels, and recovery procedures. That plan should be stress-tested, rehearsed, and updated as the environment evolves.

A well-executed tabletop exercise (TTX), by way of example, helps expose gaps in your response plan, clarify roles under pressure, and build the mindset needed to respond decisively when real threats emerge.

Yet these practical steps will always fall short without senior ownership. Security cannot remain an IT silo. It needs to be treated as a governance issue, driven by leadership and supported by external expertise where internal resources are limited. Governance is what ensures that good advice becomes consistent action, and that priorities align with risk.

Just as critical is the need for active threat monitoring and timely response. Managed detection and response (MDR) services are becoming essential for those without round-the-clock internal capabilities. Having visibility isn’t enough – there must be capacity to act when anomalies surface.

But perhaps the most enduring lesson from this breach is cultural. M&S’s attackers didn’t find a backdoor; they persuaded their way in. That highlights the role of culture in resilience. Teams must be trained to spot suspicious behaviour, yes, but more than that, they need to feel confident pushing back, questioning instructions, and slowing things down when something doesn’t feel right. Security, at its heart, depends on behaviour as much as infrastructure.

Final thought

There’s no such thing as a secure organisation. However, there is one that’s well-prepared. The M&S breach was serious, but it wasn’t unique. The methods used are familiar. The access paths are common. The difference is how organisations anticipate, prepare for, and respond to these moments.

Smaller businesses might assume they’re not targets. In truth, they often face higher risk because the same level of resilience isn’t in place. But you don’t need a massive budget to get the fundamentals right. You need clarity, process, and a culture that understands cyber risk isn’t someone else’s problem.

In the end, resilience is measured not just by how well you prevent a breach, but by how effectively you respond when it happens.

Christian Bajada is Head of Information Security at BMIT Technologies plc. Find BMIT Technologies on Facebook and LinkedIn.