Retail Under Attack: How Layered Defence Reduces Cyber Risks

Over the past few weeks, major retailers like M&S, Co-op, and Harrods have found themselves in the spotlight for all the wrong reasons. 

Starting over the Easter weekend, Marks and Spencer were the first to be attacked with customers reporting problems with Click & Collect and contactless payments. The chaos to follow involved: 

• Systems being taken offline 
• Suspension of online orders 
• Empty shelves in stores  
• More than half a billion pounds wiped off the company’s value
• Customer data stolen

Whilst the Harrods attack was unsuccessful, the Co-Op were not as fortunate with personal data being stolen including names, dates of birth and contact information and empty shelves in stores which is still ongoing at this time. 

What started out as an IT and technology problem through the cyber attack has had a significant visible impact in the world we live in. This is not just yet another data breach where the impact can be difficult to quantify. These retailers are part of the British way of life, visible on almost every high street across the country and if they can’t provide goods and services, it certainly doesn’t go unnoticed. 

Who Was Behind The Cyber Attacks?

DragonForce, a criminal organisation, has taken credit for these attacks. They operate a Ransomware-as-a-service, one cog in the dark web’s complex criminal ecosystem. For a price, DragonForce delivers to other malicious groups a complete kit to perform ransomware attacks including software, tutorials, customer support and payment websites. If the extortion after a cyber attack is successful, DragonForce will also get a cut of the profits. The suspected hacker group using DragonForce is named Scattered Spider. To find out more, read our previous blog on Ransomware-as-a-service and the dark web’s ecosystem. 

The Current State of the Threat Landscape

It’s important to remember that what has happened over the last few weeks aren’t isolated events, they’re part of a broader pattern affecting today’s global economy. At CyberUK 2025, Pat McFadden MP stated “cyber security is not a luxury- it’s an absolute necessity”. 

Yes, organisations have some defences implemented but many often aren’t managing the core root, cyber risks, effectively. What we’re seeing now is the real-world impact of the divide between security aspirations and business objectives. 

“Only 4% of UK firms are fully prepared to defend against modern, complex cyber threats”

Cisco’s Cyber Security Readiness Index 2025

A Layered Approach to Cyber Security

Cyber security today is about building resilience by having a layered approach. Consider the following five key areas which are identity, protect, detect, respond and recover. All five must work in unison. Miss just one, and your organisation could be the next headline. 

1. Identity: This area focuses on the rigorous establishment and governance of digital identities for users, devices, and services. Effective identity management is foundational to controlling access and ensuring accountability. Key elements include robust authentication mechanisms, such as multi-factor authentication, comprehensive authorisation frameworks based on the principle of least privilege, and lifecycle management of digital credentials. A well-defined identity framework minimises the risk of unauthorised access and insider threats. 
2. Protect: This proactive domain encompasses the implementation of security controls and safeguards designed to prevent cyber incidents. It involves establishing a layered security architecture that mitigates potential threats across various attack vectors. Key activities include the deployment and maintenance of firewalls, intrusion prevention systems, endpoint protection platforms, data loss prevention tools, and the consistent application of security best practices, including secure configuration management and regular vulnerability patching. The objective of the Protect function is to reduce the attack surface and minimise the likelihood of successful exploitation. 
3. Detect: Recognising that preventative measures are not absolute, the Detect area focuses on the continuous monitoring and analysis of systems and networks to identify potential security incidents or anomalous activities in a timely manner. This requires the deployment of sophisticated security information and event management (SIEM) systems, threat intelligence platforms, and behavioural analytics tools. Effective detection capabilities enable organisations to identify and triage security events early in the attack lifecycle, facilitating a more effective and less costly response. 
4. Respond: The Respond domain outlines the established procedures and capabilities for addressing identified security incidents. A well-defined incident response plan is crucial for containing breaches, eradicating threats, and minimising the impact on business operations. This includes clearly defined roles and responsibilities, communication protocols, forensic analysis capabilities, and remediation strategies. A structured and practiced response process ensures a coordinated and effective reaction to security incidents, limiting potential damage and downtime. 
5. Recover: The final domain, Recover, focuses on the restoration of normal business operations following a security incident. This involves the implementation of robust business continuity and disaster recovery plans, including data backup and recovery strategies, system restoration procedures, and post-incident analysis to identify lessons learned and improve future security posture. Effective recovery capabilities ensure organisational resilience and the ability to resume critical functions with minimal disruption. 

What Questions Should You be Asking Yourself?

• Are your security measures aligned with actual business risks? 

• Do your teams understand the threat landscape well enough to respond effectively? 

• Cyber attacks are inevitable. Is your organisation truly prepared to detect, contain, and recover from an incident quickly? 

Cyber security readiness isn’t about buying more tools. It’s about understanding where you are today, identifying your cyber risks, and developing a plan to continuously evolve your defences. A layered approach supports this mindset by ensuring security is built across people, processes, and technology, not just at a single point. Each layer adds resilience, helping to prevent, detect, and recover from threats in a way that aligns with your unique risk landscape. 

Without a clear picture of existing vulnerabilities, investment decisions can easily become misaligned with actual risks. That not only stalls progress in cyber security maturity but leaves dangerous gaps open to exploitation. Layered defences make sure that no single weakness becomes a catastrophic failure. 

The cost of not getting the right balance is high. Let the recent events in retail be the warning sign, not the lesson. 

Real-World Assurance with vSOC Assure

Knowing where to start or understanding your organisation’s true risk exposure can be overwhelming. That’s why we’ve developed a comprehensive service designed to help organisations pinpoint their current risk exposure and identify ways to close security gaps with a tailored, strategic security plan. 

We work with you to consolidate your security efforts, ensuring both a strong ROI and protection against real-world threats. Through our cutting-edge risk management platform and dedicated security team, our innovative approach provides strategic direction to cyber risk while engaging both IT leaders and business executives in the process. With powerful new features, such as industry benchmarking and advanced dashboard metrics, we’ll map your current controls against the 5 key security areas, providing a clear picture of your organisation’s security posture. 

Together, we’ll help you create a resilient and strategic cyber security roadmap, ensuring that your defences evolve in line with emerging threats and business needs.

Find out more about vSOC Assure