
The Easter cyber-attack on Marks & Spencer has laid bare an uncomfortable reality for businesses. When hackers take down your systems, you’re no longer fully in charge and how you respond could define your company for years to come.
It’s the kind of nightmare scenario every company should fear, because every company is now a target. If the size of M&S, with the scale of resources it possesses to invest in its systems, can be brought to a standstill for months by a hack, what hope is there for smaller or less prepared businesses?
There are few boards that still treat cyber security as an afterthought. There may have been a time when it was the sole function of the IT department, but companies as a whole are now acutely aware of the direct threat to their revenue, customers, shareholders, brand and even survival. All of the most sensitive data firms hold is at risk from sophisticated hackers.
Pay up and you risk regulatory sanction and accusations of funding organised crime
For senior management, the hardest part isn’t necessarily the technical challenge of recovering systems. It’s the legal and strategic dilemmas they face when the ransom demand arrives. Pay up and you risk regulatory sanction and accusations you are funding organised crime. Refuse to pay, as government and security services advise, and you could be left unable to operate for weeks, hemorrhaging customers and cash. Either way, the damage is significant and long‑lasting.
New reality
This is the new reality for modern commerce. Businesses are so reliant on digital infrastructure that a well‑executed cyber-attack can turn off the lights almost instantly. For M&S, the attack wiped out its online sales channel at a crucial point in its trading year (a lot of summer stock is a write off).
It’s in these moments that customers and investors learn what kind of company you really are. The response to a crisis, particularly one where you’re the victim, speaks volumes about culture and leadership.
That’s where M&S has arguably set itself apart in the last few of months.
Full disclosure
From the outset it made clear this was no minor technical glitch but a serious attack. It disclosed the breach quickly, informed customers regularly what data had been compromised and kept the market updated about the scale of the financial damage – a staggering £300m hit to profits in its current financial year. Given the size of the losses, it’s surprising the share price hasn’t fallen by more in response. It’s down just about 10% since April.
Its chief executive Stuart Machin fronted up to the problem and committed to restoring trust. The fact that it is taking longer than anticipated to restore full services has not been met with any further deterioration in its share price.
Openness can mitigate some of the reputational harm
Some firms continue to think that customers and investors will focus more on the breach itself than the way it’s handled. That’s a naïve approach. Regulators in the UK, Ireland and across the EU are increasingly clear about reporting obligations, particularly when the most sensitive customer data is involved. Customers are less forgiving than ever about having their personal details exposed and staff rightly want to know what’s happening if they can’t do their jobs.
M&S’s transparency has not erased the seriousness of the attack, but it has shown that openness can mitigate some of the reputational harm. Its share price didn’t collapse. Analysts didn’t savage management in the way they could have done. And it has given itself a chance to win back customers by showing it takes data seriously.
If nothing else, the experience of M&S proves one thing: cyber-attacks leave you powerless in the moment. However, the way companies respond is still within their control and that’s where reputations are made or broken.