Cyberattacks often make headlines due to dramatic ransomware demands, system shutdowns and delayed response efforts. However, behind every breach is a story about organizational decisions made every day regarding risk, people, and priorities. Nowhere is this clearer than in the 2025 breach at Marks & Spencer (M&S) in the United Kingdom.
In April, the UK retail giant was brought to a standstill by a ransomware attack. Online shopping shut down, supply chains were disrupted, and internal systems ground to a halt. The damage incurred was an estimated £300 million in lost profit—and that figure is only accurate before factoring in potential legal or reputational fallout. In response, M&S committed to compress two years of digital transformation into just six months. The move was positioned as bold and forward thinking; however, it raised a key question:
- Is this acceleration a genuine strategy shift or a rushed attempt to fix past mistakes that risk repeating them all over again?
It is important to explore what this breach teaches professionals about cybersecurity decisions and why resilience requires more than just tools, timelines, or transformation plans.
Decision #1: Is Cybersecurity Treated as an IT Problem or a Business Imperative?
It is easy to talk about cyberattacks in technical terms such as malware, firewalls, and zero-days. However, most breaches do not begin with broken systems. They begin with decisions. In the M&S case, the breach was not the result of a sophisticated exploit. It reportedly started with a simple phishing call, a social engineering attack that convinced a third-party helpdesk to reset an admin password. All it took was one decision to grant access, one gap in training, and one vendor process left unchecked. This was a failure in vendor oversight, staff enablement, and risk ownership, all occurring within the enterprise domain.
When organizations treat cybersecurity as “just IT’s job,” they disconnect it from the decisions that shape real risk: how partners are chosen, how staff are trained, and how governance is enforced.
Takeaway: If cybersecurity is not part of how organizations assess vendors, train teams, and make everyday business decisions, then it will not work effectively when it matters most.
Decision #2: Is the Organization Investing in People or Just Perimeter Defenses?
The M&S breach did not originate from a sophisticated attack; it started with a single person. This single point of breach is becoming the norm for attacks. From MGM Grand to Colonial Pipeline, attackers increasingly exploit trust, not just software. They achieve this by targeting the perceived reliability and integrity of organizational systems, communications, and third-party relationships. And yet, too many organizations still treat security awareness as merely a box to check on a list of compliance measures. Posters advocating cyberawareness and simulated phishing tests will not cut it anymore. Organizations need continuous education, scenario-based training, and a culture where verification is normalized (and not seen as rude or redundant).
Takeaway: Technology alone cannot protect an organization—unless its people are trained, supported, and tested, even the best systems will fail under pressure
Decision #3: Does the Organization Manage Vendor Risk or Just Hope for the Best?
The M&S breach highlights a hard truth: Organizational cybersecurity is only as strong as its weakest third party. In the M&S breach, attackers reportedly gained access through a third-party contractor; a single moment of human error outside of M&S’s walls that ultimately triggered £300 million in losses.
Many organizations treat vendor security as a one-time procurement checkbox instead of an ongoing responsibility. Contracts often lack clear language about cybersecurity expectations, breach notification timelines, or shared incident response. To shift from a posture of hope to accountability, organizations need:
- Ongoing vendor security monitoring
- Clear contract clauses around cyberresponsibilities and testing
- Defined escalation paths and joint response plans
Takeaway: Organizations can outsource services but not responsibility. If vendors are not secure, neither is the organization.
Decision #4: Is the Organization Responding With Strategy?
After the breach, M&S made a bold call: fast-track two years of digital transformation into six months. On the surface, this decision signaled adaptability and resilience. However, beneath that lies a dilemma that many organizations face: Is acceleration a smart pivot or a rushed reaction?
Speed is not inherently bad. In fact, organizations have used moments of crisis as catalysts to drive meaningful change. But speed without strategy, especially in cybersecurity, can backfire. Every new cloud service, integration, or system rollout expands the attack surface. If security is not embedded from the beginning, risk multiplies.
True transformation after a breach requires more than compressed timelines. It takes:
- Mature governance to guide decisions under pressure
- Continuous risk assessments to catch new exposures
- Transparent communication across teams and leadership
- Well-trained staff who understand their role in protecting systems
- Security as part of the foundation and is embedded through people, process, and technology
Takeaway: Moving fast may look decisive, but resilience comes from strategy. Cybersecurity is not about fixing systems; it is about changing culture. If the desired transformation does not address how decisions are made, risk assessed, and how people are empowered, then speed may just lead organizations back to the same vulnerabilities they were trying to escape.
Do Not Waste the Crisis
The M&S breach is a reminder about the decisions that shape risk every day. There are several core lessons that professionals can glean from the breach, including:
- Cybersecurity is not a project. It is a capability. Resilience cannot be built in six months. It must be built over time through culture, accountability, and investment.
- Cybersecurity decisions are business decisions. The £300 million loss was not caused by a hacker. It was caused by the decisions that left systems and people exposed and thus vulnerable.
- Digital transformation without governance is dangerous. Every new integration, app, or cloud service is a potential point of compromise if not properly managed.
- The human layer is where most breaches begin. If an organization’s people, including suppliers, are not trained and tested, the door to attacks is left wide open.
The M&S breach has the potential to be a turning point if the organization chooses to learn from it. Real transformation does not come from compressed timelines or quick fixes. It comes from honest reflection, organizational change and leadership that treats cybersecurity as a core business priority.
Cyber professionals need better cybersecurity decisions, based on risk, accountability, and a culture that values resilience before urgency. If M&S can use this breach as a catalyst for long-term change rather than short-term recovery, then the crisis will not have been wasted. Resilience is not built in the spotlight of a breach – it is built in the quiet, everyday choices made long before one ever hits.