M&S chair: UK needs to muscle up to tackle cyber threats

M&S, the FTSE 100 retail giant, has been battling a cyber attack since late April. Credit – Getty.

M&S chair Archie Norman has said the UK is probably underresourced to tackle cyber threats and needs to boost its security level to encourage investment.

Speaking to lawmakers on Tuesday, Norman said that the UK is “just not resourced up to operate at [the US] level.”

“It’s very advantageous if we in this country have leading cyber security experts, because we have a cyber services industry,” he said, adding that it should be “our aspiration” to have very high standards of cyber, very high quality advisors and good national authorities.

M&S suffered a serious cyber attack on April 17 via social engineering tactics, with hacking group Scattered Spider able to access systems and ultimately leading to a £300m hit to profit for M&S this financial year.

“It’s not an overstatement to describe it as traumatic,” Norman said. “We’re still in the rebuild mode, and we will be for some time to come.”

M&S has largely restored online services, but doesn’t expect to fully return to normal until August.

“It’s very rare to have a criminal act in another country or in this country… essentially trying to destroy your business,” Norman said. “It’s like an out of body experience.”

M&S chair: ‘Assume the perimeter is permeable’

Norman said that all online businesses were at risk of a cyber attack like M&S’s.

“The right thing to do, if you’re in our business, is to assume that the perimeter is permeable. Ultimately, can they get in? They probably can, if they try hard enough,” he said.

“You [can] have all the preventions that you should have… double dual factor authentication, password control, everything like that. But this business is to assume that the perimeter is permeable,” he said.

Cyber attacks in retail overwhelmed the sector earlier this year, with the Co-op, Harrods, Dior, Cartier and North Face all reporting breaches or attempted breaches.

In Parliament on Monday, Conservative MP David Davis asked for an update on the “progress of the government’s actions to ensure that blackmailers of this sort do not succeed in future” in light of an “undisclosed sum” paid by a “major company” to their cyber attacker – although he declined to name them.

Minister of State for Security Dan Jarvis replied that the home office “recently closed a consultation into a world leading package of legislative proposals to counter ransomware, and a public response will be published shortly”.

Cyber expert Spencer Starkey has warned that actions must be taken, and soon, in light of the rapidly-improving strategies of cyber attackers.

“Threat actors are now exploiting vulnerabilities within 48 hours of disclosure – far faster than most organisations can patch,” Starkey said.