Protect your organisation – five lessons from recent cyberattacks

The Easter Sunday cyberattack against Marks & Spencer (M&S), which crashed their Click & Collect, contactless payment and voucher card services, is another stark reminder that even well-resourced organisations are vulnerable to cyberattacks.

This is the latest in a string of cyber incidents involving well-known UK retailers (amongst other organisations). Over Christmas, Morrison's had to cancel deliveries and failed to apply promised discounts on the biggest shopping day of the year. In January, an IT incident at Barclays impacted the app and online banking services, and more recently Lloyds was hit by an attack which temporarily shut down its payroll services, leaving many businesses unable to pay their staff.

It isn't just large organisations that are affected – cyberattacks are on the rise for businesses of all sizes, with 50% having experienced a breach in the past year. Recently, a school in Chester was forced to shut for two days while a cyber-security company investigated a ransomware attack.

Clearly, this type of incident causes immense reputational, financial and operational harm. However, cyberattacks are even more damaging if there is a data breach, as a business will immediately be at risk of investigation by the Information Commissioner's Office (the UK data protection regulator) and corresponding fines or penalties. As at the date of this article, it is still unclear if the attack also resulted in such a data breach but reports indicate that M&S has put the ICO on notice of the breach.

While suffering a data breach is not a breach of UK GDPR per se, the ICO will penalise businesses if the breach is a result of insufficient security measures being implemented. Penalties can then be even more severe if the ICO discovers that a business did not have in place suitable policies, training programs or compliance processes.

It is important not to underestimate the impact a cyberattack can have on the insurance premiums a business pays. Being able to demonstrate that you have put in place appropriate processes and procedures to prevent a breach and respond swiftly, limiting the impact if a breach occurs, can help to ensure lower premiums from the outset. Conversely, businesses who claim under their insurance policies following a cyberattack are often subject to significant increases in their premiums if they are unable to show that they had taken steps to mitigate the risks posed by such attacks. These costs can be significant at a time when the business is already under pressure.

Being prepared is of fundamental importance on numerous fronts.

Lesson 1: Focus on resilience and obtain specialist cybersecurity advice

• Under UK GDPR, organisations must take continual and proactive steps to protect themselves against cyberattacks. This could include ensuring IT systems have multi-factor authentication (or equivalent protection), regularly scanning for vulnerabilities, and installing the latest security patches without delay.

• Depending on the nature of the organisation, it may be appropriate for businesses to engage cybersecurity specialists to undertake technical evaluations to identify existing security vulnerabilities so that these can be remedied. This could include advanced penetration testing and customised training.

• The ICO has recently fined Advanced Computer Software Group £3.07m for security failings that put nearly 80,000 people's personal information at risk. The fine related to a ransomware incident where hackers had accessed NHS personal information via customer accounts that did not have multi-factor authentication in place.

Lesson 2: Understand the types of personal data your business holds

• Do you know what personal data your business processes and who it relates to (i.e. clients, customers, employees, etc)? In particular, do you hold any sensitive personal data like health information or data about an individual's sexuality or religion?  Businesses should undertake a tailored data audit to evaluate and identify this information.

• Where personal data held is sensitive there is an obligation to implement more stringent security measures. The ICO are likely to impose even more severe penalties following a breach if sensitive personal data has been impacted. For example, in April 2025 the ICO fined a UK law firm £60,000 following a cyberattack that led to highly sensitive and confidential personal information being published on the dark web. The ICO ruled that the firm had failed to implement appropriate technical measures to ensure the security of the sensitive personal data held electronically.

Lesson 3: Ensure you have effective data governance in place

• As well as identifying what data a business holds, it is important to understand where data is held and for what purposes you process this data.

• You must have confidence that your internal procedures are designed to keep data safe and to escalate matters quickly if a breach occurs.

• Having clear policies in place will help to equip your team to handle complex threats confidently. Your business is much more likely to come under intense ICO scrutiny following a data breach if data practices are generally poor.

Lesson 4: Prepare your crisis response with an integrated approach

• Clear procedures will ensure there is a process for employees to follow, and that cyberattacks are escalated as soon as possible and responded to effectively. As part of your response, you will need to consider whether it is necessary to issue a public notice informing customers of the breach. If so, this should be actioned as soon as you are able to do so. M&S has already been criticised for their failure to inform customers about their service outages over the weekend earlier. Mishandling a breach can lead to huge reputational harm, erode customer confidence and irreparably damage your brand.

• Many businesses choose to appoint internal or external communications specialists to assist them in planning for breach incidents by implementing a clear, transparent communication strategy.

• It can also be helpful to have cyber security experts on standby so that you can address any technical weaknesses that gave rise to the breach and ensure full use of your systems as soon as possible. Cyberattacks regularly impact a business' ability to trade (as was the case with M&S) which can therefore impact revenues and shareholder confidence.

Lesson 5: Respond to data breaches in a compliant way

• The UK GDPR imposes a duty on all organisations to report certain personal data breaches to the ICO within 72 hours.  Having clear data privacy policies in place and ensuring employees are provided with regular training on these policies will increase the likelihood that data breaches are identified quickly and escalated in accordance with your internal procedures.

• If a breach is likely to result in a high risk to individuals' privacy rights, then the business will also need to inform those individuals without undue delay. We advise obtaining specialist advice to help determine the best course of action following a data breach.

Foot Anstey's flagship BreachReddi service is designed specifically to assess and elevate a business's readiness for data breaches. By working with industry experts Rostrum and Integrity 360, we have developed an integrated and unique approach which covers cybersecurity, data governance and crisis communication. Get in touch with our expert team to find out more.