The recent spate of cyber attacks on UK retailers — including Marks & Spencer, Co-op and Harrods — serves as a stark reminder: no organisation, regardless of size or preparedness, is beyond reach. While headlines tend to highlight the major players, there are critical takeaways for businesses of every size.

The National Cyber Security Centre (NCSC) is currently supporting the affected companies. In their most recent statement, they noted that it’s too early to confirm whether the incidents are connected. Nonetheless, they’ve indicated they possess valuable insights and have a clearer picture than may be evident publicly.

Although not disclosing specific details, the NCSC has offered guidance following media speculation that social engineering may have played a role — particularly via IT helpdesks. Attackers might impersonate technical staff or claim to be employees locked out of accounts, manipulating team members into revealing login credentials or security information.

This approach is worryingly straightforward — and all too effective.

So, what’s the key message? It’s not just passwords you need to protect — people are your primary defence.

The NCSC’s latest recommendations call on organisations to scrutinise their password reset protocols, especially those affecting individuals with access to critical systems or sensitive data. It’s vital to assess how identity is confirmed when someone contacts the IT helpdesk. Are secondary checks in place? Would a fraudulent request be detected?

Some cyber experts even recommend using internal codewords to verify identity — but this only works as part of a wider culture of cyber awareness, where staff are encouraged to question the unexpected, no matter how routine it may seem.

Small businesses are just as vulnerable

Though large retailers were targeted in these cases, the methods used don’t discriminate. In fact, smaller firms — often lacking dedicated cyber security teams — may appear easier to compromise. That’s why immediate action is crucial:

  • Reassess internal password reset procedures. Who controls them, and what safeguards exist?

  • Implement multi-factor authentication wherever feasible. Passwords alone are no longer sufficient.

  • Stay alert to unusual login patterns. Access attempts from unfamiliar locations or at odd times should raise concern.

  • Equip your team to identify social engineering. Regular updates and bite-sized training sessions can make a significant difference.

Co-ordinated or opportunistic?

The NCSC’s commentary suggests these attacks may be less about sophisticated code and more about manipulation — gaining trust, then access. This underscores the need to treat cyber security as a company-wide concern, not just an IT matter.

With online crime surging, the NCSC has warned that incidents like these are growing in frequency. Businesses must respond accordingly. Often, the most effective protection starts from within — with robust policies, clear internal communication, and a questioning mindset.

Now’s the time to ask: could it happen to us?

Read more: https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers