Counting the Cost: How the M&S Cyber Breach Exposed the Price of Resilience

When Cybercrime Hits the Checkout 

When a household name like Marks & Spencer is brought to its knees by hackers, the message to every organisation is clear: cybersecurity is not just about compliance, it is about continuity. 

In April, M&S suffered a cyber-attack that forced it to suspend online orders for nearly two months and click and collect for almost four. Shelves ran bare, systems stalled, and customers turned to competitors. The company’s adjusted profit before tax fell to £184 million, down from £413 million the year before. 

What happened to M&S is a case study in how a digital disruption can ripple through an entire business. It was not just an IT outage; it was a full-scale operational crisis. 

The Real Price of a Cyber Breach 

M&S revealed it had received £100 million in insurance payments, but the total cost of the incident was closer to £300 million. The difference reflects the expenses that insurance cannot cover: lost revenue, reputational damage, and the time it takes to regain customer confidence. 

Cyber incidents like this demonstrate that prevention is not a luxury. It is a financial strategy. Every pound invested in preparedness saves many more in recovery. 

Resilience Is Not Luck — It Is Preparation 

True resilience is made up of several layers of preparedness: penetration testing, vulnerability management, governance frameworks and ransomware readiness. Each layer supports the others, creating the kind of defence that does not crack under pressure. 

1. Penetration Testing: Finding the Flaws Before Hackers Do

A cyber breach often begins with an overlooked weakness. Penetration testing exposes those vulnerabilities before criminals exploit them. It simulates real-world attacks on systems, applications, and networks to uncover gaps that traditional tools miss. 

2. Vulnerability Management: Because Risks Don’t Stand Still 

Cyber threats evolve daily, and so do the weaknesses that enable them. Continuous vulnerability management ensures that software, hardware, and user environments stay patched, monitored, and secure. 

It is not about ticking boxes. It is about maintaining a living, breathing security posture that adapts as fast as attackers innovate. A strong vulnerability management strategy can be the difference between a failed attack and a company-wide shutdown. 

3. ISO Readiness: Turning Compliance into Competitive Advantage

ISO standards, particularly ISO 27001, are more than paperwork. They are frameworks for resilience. Achieving and maintaining ISO readiness proves that a business takes information security seriously, with robust processes for risk management, data protection, and incident response. 

For companies under growing pressure from regulators and consumers alike, certification sends a clear signal of trust and accountability — vital in rebuilding reputation after a breach. 

4. Ransomware Readiness: The Final Layer of Defence

The M&S incident may not have been ransomware, but the lessons are the same. Modern attacks are sophisticated, targeted, and relentless. Being ready for ransomware is no longer optional; it is essential. 

Our recent Ransomware Readiness as a Service (RRaaS) blog explores how organisations can test their preparedness, strengthen response plans, and ensure business continuity when the worst happens. It turns “what if” into “we’re ready.” 

The Bottom Line: Resilience Protects Profit 

The M&S cyber breach showed how a single incident can wipe out years of growth in a matter of weeks. Yet it also proved that businesses with strong resilience frameworks can recover.  In a world where every business is digital, cybersecurity is not just a cost — it is the price of staying in business.