It’s been a month since the hacker group known as DragonForce gained access to Marks and Spencer’ IT systems, however the headache has yet to settle for the UK retailer. Maybe the time is right to talk about security lessons that can be taken away from this.
The group is still struggling to regain control of its system following the massive cyberattack which also targeted fellow retailer, Co-op. This isn’t dissimilar from the 2020 cyberattack on EasyJet which saw more than 2.2k customer credit and debit card details stolen – however a statement from the retailers Chief Executive said that no usable customer payment and card details were exposed.
There have been some big attacks on companies in the last two decades but it is always quite humbling when such news surfaces into mainstream media. The question is, “Why and how are cyberattacks still successful on these large companies despite them putting expensive and rigid counter-measures in place? Have there not been enough recent examples to learn from?” Well, criminals will always exist. As long as there’s a benefit, these groups and individuals will continue to find new and more sophisticated ways to attack. Here are five key security lessons we should take away from this recent hack.
#1 Secure Third-Party Systems
Organisations now need to ensure that they conduct rigorous third-party risk management. A website may have top-notch defences against cyber-attack and still be let down by a weakness exposed by one of it’s third-party services. Such was the case with M&S as it has now come out that the hackers behind the M&S breach gained access via a compromised third-party system.
Vendor Due Diligence – The M&S breach is believed to have originated through a compromised third-party system. It is crucial to conduct thorough security assessments of all third-party vendors and partners who have access to your systems or data. This includes evaluating their security policies, certifications (e.g., ISO 27001, SOC 2), and incident response capabilities.
Secure Integrations & Least Privilege – Organisations should ensure that any integrations with third-party services are secure and that vendors are granted only the minimum level of access necessary to perform their functions (principle of least privilege). Regularly review and audit third-party access.
Contractual Obligations – Organisations should be sure to Include clear cybersecurity requirements and breach notification protocols in contracts with third-party vendors.
#2 Ensure Your People Are Well Trained
It’s just as important (if not more so) to ensure that your staff are security trained as well as ensuring that you have systems protections. Companies must foster a strong security culture through continuous security training. Human error remains a significant factor in many breaches. Conduct regular cybersecurity awareness training for all employees, covering topics such as phishing and social engineering (key tactics used by groups like DragonForce), strong password practices, secure use of email and internet, and how to report suspicious activities.
Phishing Simulations – Companies should periodically run phishing simulation campaigns to test employee awareness and reinforce training.
Security Champions & Clear Reporting Channels – Companies should encourage a culture where security is everyone’s responsibility. Designate security champions within different departments and establish clear, accessible channels for employees to report potential security incidents without fear of reprisal.
#3 Proactive Vulnerability Management & Systems Patching Procedure
Companies should regularly scan all systems, applications, and networks for known vulnerabilities. Supplement this with periodic penetration testing conducted by independent security professionals to simulate real-world attack scenarios and identify exploitable weaknesses. The M&S attack reportedly involved the exploitation of known vulnerabilities; proactive identification and remediation are key.
Timely Patch Management – Companies need to establish a rigorous patch management process to ensure that all software (operating systems, web servers, content management systems, plugins, third-party applications) is updated with the latest security patches as soon as they become available. Prioritise critical vulnerabilities based on their severity and potential impact.
#4 Comprehensive Data Security and Incident Response Plan
Data Encryption – Organisations should always encrypt sensitive data both at rest (when stored) and in transit (when transmitted over networks) to protect it from unauthorised access even if a breach occurs.
Regular Data Backups & Recovery – Organisations should implement a robust data backup strategy, ensuring that critical data is backed up regularly, stored securely (ideally offsite and offline), and that restoration procedures are tested frequently. This is crucial for recovery from ransomware attacks.
Develop and Test an Incident Response Plan – Organisations should have a well-documented incident response plan that outlines procedures for detecting, containing, eradicating, and recovering from a cyberattack. This plan should include roles and responsibilities, communication strategies (internal and external), and steps for forensic investigation. Regularly conduct tabletop exercises and simulations to ensure the plan’s effectiveness and that all stakeholders understand their roles.
#5 Implement a Robust Multi-Layered Security Architecture
Organisations should maintain strong Access Controls & Multi-Factor Authentication (MFA) policies across all of their IT infrastructure. They should enforce strong, unique passwords for all accounts and mandate MFA across all critical systems, including employee logins, administrative interfaces, and customer accounts. This significantly reduces the risk of credential stuffing and unauthorised access, common attack vectors.
Network Segmentation & Firewalls – Organisations need to divide their network into smaller, isolated segments to limit the lateral movement of attackers in case of a breach. Utilise properly configured firewalls to control traffic flow between these segments and block malicious connections.
Intrusion Detection/Prevention Systems (IDS/IPS) – Organisations must deploy IDS/IPS solutions to monitor network and/or system activities for malicious behaviour and policy violations. These systems can automatically block or alert on suspicious activities, providing an early warning of potential attacks.
Endpoint Detection and Response (EDR) – Organisations should secure all endpoints (servers, workstations, mobile devices) with advanced EDR solutions that can detect, investigate, and remediate threats on these devices.