M&S, Harrods and Co-op attacks expose UK’s growing cybersecurity risks
A recent spate of cyber attacks on UK retail giants, including M&S, Harrods and Co-op, have exposed growing concerns over cybersecurity readiness at British businesses.
According to Cisco’s latest Index, released Wednesday, only four per cent of UK firms are fully prepared to defend against today’s complex cyber threats.
The report found, too, that 83 per cent of UK organisations are grappling with a shortage of skilled cybersecurity professionals, leaving many critical security roles unfilled as threat levels increase.
“The bad guys are there looking for ways in – and far too many organisations are sitting ducks”, Martin Lee, EMEA lead at Cisco Talos, told City AM.
“They have tools, they have a business model, they know how to make money”.
A 2024 report from the UK’s National Cyber Security Centre (NCSC) also warned that ransomware groups are adopting more aggressive extortion tactics and increasingly centring their attacks around AI.
The recent spate of incidents at M&S, Co-op, and Harrods reflects a broader uptick in attacks on UK retail, logistics, and financial firms, with reports of phishing, ransomware, and supply chain compromise becoming increasingly common.
Earlier this year, Pwc flagged a growing divide between firms investing proactively in cybersecurity and those failing to do so, warning that reactive postures are no longer sustainable in the AI era.
AI outpaces cybersecurity oversight
While 92 per cent of UK organisations are already using AI in some form to detect or respond to various malware, the report found that over 78 per cent experienced security incidents related to AI within the past year.
Despite this, 65 per cent of IT teams said they had little to no visibility into employee use of unapproved AI tools, raising concerns over so-called ‘shadow AI’.
“People love shiny new tech, and move faster than policy”, Lee said. “We’re seeing employees putting confidential company data into AI systems without understanding where the data goes”.
Recent findings from Gartner support this trend, noting that over 40 per cent of employees in large enterprises use GenAI tools daily, and often without formal guidance or oversight.
Lee warned that while AI can help automate security monitoring and accelerate threat detection, it still requires trained professionals to oversee its implementation.
“AI is a force multiplier”, he said, “but people need to scope, implement, and manage it”.
Skill shortage hinders response
The talent shortfall is compounding the problem, with nearly half of UK firms surveyed having over ten open cybersecurity roles.
What’s more, only 45 per cent are allocating more than 10 per cent of their IT budgets to cyber defence, which has tumbled from 54 per cent last year.
“We’ve never had enough cyber professionals- and we never will”, said Lee.
“So, let’s get AI doing the simple stuff, and use our people for the things machines can’t do – like responding to complex incidents and making strategic decisions”.
The report also flagged growing challenges related to security complexity, with over two thirds of businesses relying on over 10 disconnected security tools.
This fragmentation can hinder response times and increase the risk of missed threats.
Lee advised businesses to focus on strengthening foundational defences.
“The biggest advice I can give to businesses is to get to basics right”, he said. “Cyber criminals are looking for the easiest route in – and if you’re better prepared, they’ll move on to someone else”.
This issue doesn’t stop with the UK. “Cybersecurity is a global issue,” said Lee. Threats don’t respect national boundaries. “