Stop panicking and start protecting: what we can learn from recent cybersecurity breaches and how to better protect your business

A recent surge of cyberattacks against UK retailers have put cybersecurity back in the headlines in a big way. From M&S to Co-op to Harrods, these incidents have resulted in severe operational disruptions, data breaches, financial losses and reputational impact that’s going to take some time to put right.

The attacks on these three retailers were all ransomware incidents. Ransomware is a type of malicious software (malware) that blocks access to systems or encrypts data, then demands payment (a ransom) from the victim to restore access.

‍

M&S, in particular, suffered hundreds of millions in lost profits. Bringing the risks of vulnerabilities back to the front of mind for business owners of companies of all sizes.

‍

But we’re not here to stoke fear about the attacks. We’re here to highlight the learning opportunities. The ‘good’ news is that each of these attacks exploited weaknesses in either digital infrastructure or human fallibility, or a combination of the two. And they’re both vulnerabilities that can be proactively, and effectively, mitigated.

‍

This blog takes a look at some of the key features of the attacks, and provides practical guidance on protecting your business against them.

‍

Assessing the vulnerability: the attack surface

‍

Let’s start by considering the attack surface. An ‘attack surface’ refers to the sum of all possible points where an unauthorised user can access or exploit a system, network or application. The smaller the attack surface, the less vulnerable your business is. But given the ever-increasing number of devices and software apps that businesses rely on, the attack surface for organisations of all kinds will only continue to grow. For the recent spate of UK attaches, the attack surface included:

• Employee accounts and credentials: Attackers targeted staff, especially those with privileged access, to obtain credentials, often by impersonating employees.
• IT helpdesks: Attackers focused on IT support processes, manipulating helpdesks into resetting credentials or granting access.
• ‍Remote access tools: Once inside, attackers used legitimate remote access tools to move within networks, blending in with regular activity.
• ‍Third-party vendors: Another high profile attack on Adidas, while not ransomware, demonstrated that customer data could be compromised via external service providers.
• ‍POS and online platforms: Retailers’ online ordering, payment and click-and-collect systems were prime targets, resulting in widespread service outages and financial loss.

‍

Offering a solution

Firstly, regular cyber risk assessments are critical to identify and address vulnerabilities in systems, networks and third-party connections. In terms of network infrastructure, critical systems like POS and back-office operations should be completely segmented from public or employee devices. 

‍

We recommend that all IoT devices and cloud services, across your business, are securely configured and continuously monitored. It's equally important that you extend your cybersecurity standards and compliance requirements to all vendors and supply chain partners, helping to create a more resilient and secure ecosystem overall.

‍

Assessing the vulnerability: attack techniques

To better understand and defend against cyber threats, it's important to recognise the tactics used to breach organisational defenses. The following techniques were observed in the recent UK cyber attacks. By understanding them, you’ll be better equipped to identify early warning signs and strengthen internal operations.

‍

• ‍Social engineering and phishing: Attackers used highly convincing phishing campaigns to trick staff into revealing credentials or enabling access.
• ‍Helpdesk impersonation: Attackers posed as employees, convincing IT support to reset passwords or bypass multi-factor authentication.
• ‍Remote access via legitimate tools: After gaining credentials, attackers used standard admin tools to navigate networks.
• ‍Ransomware deployment: Once access was secured, ransomware was deployed to encrypt systems and exfiltrate sensitive data. Attackers then demanded ransom for both decryption and non-disclosure of stolen data.
• ‍Supply chain exploitation: Attacks on third-party vendors and platforms enabled access to broader sets of customer data.

‍

Offering a solution

The attacks highlight how both human vulnerabilities (social engineering, helpdesk manipulation) and tech tools and processes (remote access) can be exploited. 

‍

Mitigating human fallibility 

A robust security strategy and incident response plan is key, covering technology, processes and people both in-house and across your supply chain. Third-party risk management should be a key part of your cybersecurity strategy, and staff awareness should be maintained through frequent, targeted training to help employees recognise and respond to phishing and social engineering attempts. 

‍

We also recommend implementing multi-factor authentication (MFA) across all employee, admin and remote access accounts, verifying internal support processes and closely monitoring vendor access. 

‍

Building protection into the tech

Deploying advanced endpoint protection and AI-powered threat detection can help you identify and block threats early. Regularly updating and patching systems, including terminals and mobile devices, will also help close known vulnerabilities. Network-level patch management can and should be automated, to relieve the burden on your team, spot security vulnerabilities faster and proactively deploy updates. 

‍

AI-powered network platforms like Juniper Mist automate the process of updating firmware and applying security patches. This is particularly beneficial in sectors like retail, or in businesses with multiple branches - anywhere where there are distributed devices trying to access the network. Manual patching is error-prone and time-consuming; by automating it, you keep your infrastructure up to date and secure proactively.

‍

Lessons learned and key takeaways

As we pointed out at the beginning of this blog, the vulnerabilities that led M&S, Co-op and Harrods into such difficulties can all be traced back to digital infrastructure and / or human error. Here are the key things to keep in mind when evolving your cybersecurity strategy to protect your business against similar threats.

‍

• Protection through your people: most breaches began with the manipulation of people, not technology. Staff training and awareness are critical to foster a culture of awareness and alertness, and make security a shared responsibility.
• Proactive access management: credential and access management is not a set and forget process. Robust controls on password resets, MFA, and privileged access are essential. Helpdesk processes must be hardened against impersonation attempts.
• Reassess remote access: Restrict and closely monitor the use of remote administration tools to prevent lateral movement by attackers.
• Secure the supply chain: Ensure third-party vendors adhere to strong security standards, as their compromise can directly impact your business.
• Incident response beyond IT: Your crisis management plan should cover communications, logistics and customer service. Importantly, fast isolation of affected systems can limit damage, so ensure your network is well segmented - and consider AI-empowered monitoring tools that can spot and fix faults faster than humans can.
• Always on audits: Regularly review and test security controls, patch vulnerabilities and simulate attacks to identify weaknesses before potential bad actors do.
• Assurance through ‘analogue’: Maintain regular, offline backups of critical business data to enable swift restoration after a ransomware event. 

‍

Zero in on ultimate peace of mind

Businesses should strongly consider moving towards a Zero Trust model. With remote work, cloud services and mobile access on the up, the traditional security model, where everything inside the network is trusted, is outdated. 

A zero trust security model is an approach that assumes no user, device, or application is inherently trusted, regardless of whether they are inside or outside the network perimeter. That means that every user or device that attempts to connect to your network is always verified.

‍

Increase security without the huge overheads

A robust cyber security posture is key to protecting both revenue and reputation. But improving that posture means dedicating resources to acting against threats in real time, and knowing what’s coming next. 

‍

That’s why we’ve built a CSOC - or Cyber Security Operations Centre - offer; so businesses can enjoy the reassurance and responsiveness of one point of contact across both their network infrastructure and security management. Our team of experts remove risk, secure data and streamline compliance, protecting your business against current threats and building resilience in the face of future challenges.

‍

For a limited time, we’re offering a free penetration test to help you quickly identify vulnerabilities and provide advice on defence against cyber threats. We'll help you understand your risk profile and prioritise security measures. If you’d like to learn more, please get in touch.

‍