Cyber Resilience: Why UK SMBs Can’t Afford to Ignore Testing and Awareness

In July 2025, the UK retail giant Marks & Spencer became the latest high-profile victim of a targeted cyberattack. The breach, reportedly orchestrated by the hacktivist group DragonForce, disrupted customer accounts, raised fears of data compromise, and triggered widespread media coverage across outlets including BBC News and Reuters. It wasn’t just a wake-up call for M&S-it was a wake-up call for every UK small and medium-sized business (SMB) relying on digital infrastructure to survive and thrive.

Cyberattacks are no longer isolated to multinational corporations. The reality is that UK SMBs are increasingly in the crosshairs of cybercriminals. What separates those who survive from those who suffer irreversible damage is one thing: cyber resilience.

The Reality of Today’s Threat Landscape

The M&S cyberattack followed a growing pattern. Just weeks earlier, coordinated attacks hit other major UK retailers like Co-op and Harrods. According to the National Crime Agency (NCA), these incidents are being carried out by well-resourced cyber gangs using advanced tactics like credential stuffing—exploiting weak user passwords and reused logins to gain access to systems and customer data.

Cyberattacks have evolved. They’re faster, more targeted, and increasingly public. And the repercussions go beyond immediate operational disruption. Reputational damage, regulatory penalties, and loss of customer trust can crush even well-established brands. For SMBs—who often lack the financial and operational buffer of enterprise-level businesses—the consequences can be existential.

From Cybersecurity to Cyber Resilience

Traditional cybersecurity focuses on building walls—firewalls, anti-virus software, access controls. But as the M&S breach demonstrates, no system is impenetrable. Cyber resilience takes a broader approach: not just preventing attacks, but preparing for them, responding effectively when they occur, and recovering swiftly with minimal impact.

This includes:

• Continuous risk assessment

• Regular cybersecurity drills

• Employee awareness and training

• Robust incident response plans

• Backup and recovery systems

Cyber resilience acknowledges that attacks are a matter of “when,” not “if.” And it equips businesses to bounce back faster and stronger.

The M&S Cyberattack: A Case Study in Modern Risk

Let’s unpack what happened at M&S and what SMBs can learn from it.

On July 8th, Reuters reported that the attack was conducted by DragonForce, a group linked to prior hacktivist campaigns. They targeted M&S’s digital infrastructure, exploiting vulnerabilities to breach customer accounts. According to the official M&S cyber incident update, “a limited number of customer accounts were accessed,” prompting the company to freeze online accounts as a precaution.

The BBC later confirmed the scale of the disruption: affected customers were locked out of their accounts, online shopping was suspended, and M&S had to proactively communicate with its entire customer base.

From a resilience standpoint, M&S did several things right. It issued a transparent update, worked with law enforcement, and provided regular communications. But as highlighted by The Conversation, the long-term impact will depend not just on incident response—but on how the brand demonstrates long-term commitment to customer trust, data integrity, and transparent remediation.

Lessons for UK SMBs

So what does this mean for small and mid-sized businesses that may not have a full-time CISO or cybersecurity team?

1. You’re not too small to be targeted.
   Many cybercriminals actively go after SMBs because they assume weaker defenses. The NCA’s arrests reveal that these groups use automated tools to scan and exploit known vulnerabilities across thousands of companies at once.

2. Proactive testing is essential.
   Just as you wouldn’t rely on an untested fire escape plan, you can’t trust your cybersecurity framework until it’s stress-tested. Regular penetration testing, phishing simulations, and system audits are critical.

3. Employees are your first line of defense.
   Credential stuffing attacks like the one used against M&S often succeed because of human error—reused passwords, poor hygiene, or lack of two-factor authentication. Investing in cyber awareness training is one of the most cost-effective steps an SMB can take.

4. Backups must be tested too.
   Backup systems are only valuable if they work under pressure. Businesses should routinely simulate ransomware scenarios to test how quickly data can be restored and operations resumed.

5. Incident response must be documented and rehearsed.
   When an attack hits, every minute counts. A clearly written response plan—assigning roles, steps, and escalation procedures—ensures you’re not figuring things out during a crisis.

The Cost of Inaction

Cyber resilience isn’t just about defending data—it’s about safeguarding your entire business model. According to the UK Government’s 2024 Cyber Security Breaches Survey, over 59% of medium-sized businesses identified a cyberattack in the previous 12 months. The average cost of these breaches? Over £4,200 per incident—and higher still when customer data is involved.

But costs go beyond the financial. Reputational damage, loss of supplier trust, and customer churn can be even harder to recover from. The reputational ripple effect of a cyber incident can take years to repair—especially for a company still building brand equity.

Building a Culture of Cyber Resilience

Creating a resilient organisation starts with culture. Every employee, from junior staff to leadership, must see themselves as a stakeholder in your business’s digital safety. This requires:

• Leadership buy-in: Owners and directors must champion cybersecurity, not delegate it and forget it.

• Ongoing training: Not one-off workshops, but continuous updates, refreshers, and awareness campaigns.

• Regular simulations: Quarterly tabletop exercises and phishing simulations that engage every department.

• Vendor scrutiny: Ensuring third-party tools and suppliers meet your security standards. A weak link in the supply chain can be just as dangerous.

Final Thought: Hope Isn’t a Strategy

Cyber resilience is not about achieving perfect security—it’s about being ready when the worst happens. M&S had the brand recognition and resources to respond quickly. But even they’re facing scrutiny about how their response will impact their long-term future.

For UK SMBs, the stakes are higher. A single breach can mean lost contracts, regulatory fines, and damaged reputations. But with proactive testing, employee education, and a culture of resilience, businesses can not only survive—they can emerge stronger.

Practical Steps for SMBs

1. Start with a free data protection or cyber risk assessment from a trusted IT partner.

2. Review your incident response plan—or create one if it doesn’t exist.

3. Schedule a phishing simulation and employee training within the next 30 days.

4. Evaluate your backup and recovery strategy. Can you recover your core systems within 24 hours?

5. Communicate your commitment to customers—transparency builds trust.

The good news? You don’t have to do it alone. Work with partners who understand your business, not just your infrastructure.

Need support building your cyber resilience strategy?
Let’s talk. From assessments and strategy sessions to hands-on testing and awareness programs, we help UK SMBs take practical steps to stay secure.