Since Easter, three major UK retailers have been hit by serious cyber attacks – with two proving particularly severe.

On 25 April, Marks and Spencer announced that it had suspended online ordering, while its team managed the impacts of a breach that occurred on Easter Weekend. At the time of writing, that pause is still in effect – at a reported cost of £3.8m per day.

A week later, the Co-op revealed that, following a cyber breach in late April, it was continuing to experience “sustained malicious attempts by hackers” to access its systems. It also admitted that during the attacks, hackers had extracted personal data on a “significant number” of current and past members.

On 1 May, luxury brand Harrods said that it had experienced “attempts to gain unauthorised access” to its IT network. However, the situation was relatively contained, with the brand’s various outlets remaining open and customers still able to purchase online.

According to several sources, notorious ransomware-as-a-service group DragonForce has claimed responsibility for the attacks.

Universal lessons

Shockwaves have continued to rumble. On 6 May, The Guardian reported that Co-op was troubleshooting problems with its contactless payment system. A week later, M&S said that it, too, had suffered the theft of customer data. Meanwhile, both brands were struggling to fill empty shelves because of knock-on supply chain impacts.

Amid the fallout, National Cyber Security Centre (NCSC) CEO Richard Horne said: “These incidents should act as a wake-up call to all organisations.”

For thoughts on the attacks, Insights contacted two members of ICAEW’s Tech Faculty Board: Daniel Teacher, CEO of accounting and finance IT security firm T-Tech, and Radhika Modha, Group Business Information Security Officer at precision-measurement solutions provider Spectris. Like Horne, they stress that the incidents send a message to every industry.

“No cyber attack is entirely preventable,” Teacher says. “For example, if a nation state wants to get into your systems, it will. But what’s disappointing here is that at a minimum, every business should have cyber-security controls good enough to ensure that the impact is nowhere near as bad as it has been in these cases.”

Teacher points out that accountants hold much more sensitive data on individuals than retailers do, so it would be wrong to suggest that retail was somehow more vulnerable.

While specifics of the causes of the recent attacks have yet to emerge, Modha says: “So far, media coverage has picked out two, major themes: lack of planning and social engineering.”

On that latter point, some reports have suggested that the hackers called the affected brands’ IT helpdesks posing as employees and requested password resets – enabling them to gain access to critical systems. Such a direct method of initiating an attack highlights the importance of companies urgently reviewing their password policies and reset procedures.

Teacher points out that any business with an extensive customer service presence is particularly vulnerable to fraudulent calls. Operators are trained to be helpful, he says, so with a targeted approach, a hacker could readily trick a call handler into resetting the multifactor authentication setup of any individual they are impersonating.

He notes: “On YouTube, there’s a brilliant but disturbing video of a hacker in character as a stressed-out mother. In no time at all, she dupes a sympathetic operator at a mobile phone company into giving her access to a gentleman’s account, allowing her to reset the password.”

Critical steps

On 7 May, National Fraud Database coordinator Cifas announced that it had tracked a huge, 1,055% surge in cases of SIM swapping: a social engineering scam whereby criminals hijack someone’s mobile number by porting it to a new SIM. That enables them to intercept two-factor authentication codes and carry out further fraud. “Lots of two-factor authentication systems run off mobile numbers,” Teacher warns, citing SIM swapping as a powerful means for hackers to probe vulnerabilities in a company’s IT systems via its own staff.

Modha outlines critical steps that businesses can take to enhance their preparedness. “Conducting a thorough review of your entire IT infrastructure and assets will help you understand what your attack surface looks like,” she notes. “Then there’s IT support: if your service provider is subcontracting any work linked to your business, consider and risk-assess which third parties are involved and what kind of access they have to your systems.”

She adds: “Review your helpdesk and/or call centre policies. Are staff asking the right questions to screen out social engineering? Also, routinely simulate hacking incidents in tabletop exercises with your operational and leadership teams. That will enable employees to build muscle memory around how to cope effectively with a cyber attack.”

Teacher mentions the term ‘managed security’, where a company needs to know immediately if and when they’ve been compromised and to be able to take action in a number of minutes. “With M&S, they were in the system for days before it was detected.”

Best practices

ICAEW Head of Data Analytics and Tech Ian Pay also has some recommendations. First and foremost, he says: “Patch, patch, patch. Ensure that every single piece of your hardware and software is up to date with the latest security protocols and bug fixes.

Next, Pay notes, review access. “Reports indicate that the retail hackers were able to operate within the brands’ own environments,” he says. “That highlights concerns over remote access systems, including VPNs.”

He adds: “Ensure that backups are in place for all core systems and check with any cloud provider you use that you’re covered by its backup policy. Plus, enforce best practices and workforce education in line with NCSC’s 10 Steps to Cyber Security.”

On a broader level, Lindsay Hill – CEO of Manchester-based cyber-security specialist Mitigo – urges business leaders to “take a good look” at the government’s Cyber Governance Code of Practice, issued in April this year.

“That effectively sets out the main thrust of all the things that companies should be thinking about,” Hill says. “The government intends for the code to have application across sectors. At this stage, it’s not a legal requirement. But in its accompanying text, the government says that it will consider making it compulsory going forward, depending on the uptake.”

Hill stresses: “The most important point in the code is that it’s up to the board and senior management team to get a grip on this business risk.”