Douglas McLachlan
- Partner
Insights | Data Protection
You do a fire drill, so do a cyber attack drill
3 June 2025
Cyber attacks are a shock for any business, but they are no longer a complete surprise given their prevalence – and the devastating high profile impact in recent years. This week though, with attacks on beloved British brands, cyber security is more in the public consciousness than ever. Some of the biggest players on the UK high street have fallen victim to cybercriminals and it has shaken customers, leaving many with questions and even leaving some without food.
The attack on Marks & Spencer has been branded a ‘wake-up call’ by cabinet minister Pat McFadden, who rightly stated that ‘cyber security is not a luxury but an absolute necessity’.
I wholeheartedly agree with this sentiment, but it doesn’t mean all businesses (large or small) must spend millions on complex cyber security systems. When it comes to implementing robust cyber security practices, the ‘80/20 rule’ is a good yardstick – and the good news is that the 20per cent refers to technology and IT systems.
The attacks have been operationally detrimental, impacting everything from online ordering and in-store experience, to the availability of meal deals and concerns over compromised data and reputational damage.
Businesses who want to robustly protect themselves, rather than footing a huge bill and incurring significant reputational damage should the worst happen, must look at organisational culture and management. Here are five things businesses can do to get the balance right when it comes to protecting against cyber attacks.
Never assume ‘it wouldn’t happen to us’
Your first mistake is thinking your business isn’t ‘interesting’ to cyber criminals. Many attacks aren’t as targeted as you think – hackers often look for potentially lucrative ‘low hanging fruit’. If you hold data, you’re a potential target, and spending some time and effort up front to prepare could save legal headaches, money – and potentially your entire operation – in the long run.
Think about ‘when’ it will happen, not ‘if’ it will happen
One of the most damaging allegations levelled at M&S has been a lack of business continuity planning. Worryingly, I suspect many organisations are in a similar boat. Would you be caught without a fire safety and evacuation plan? Of course not. And while the threat of a cyber attack may not be physical, it can do irreparable damage. Get a plan together, online and in hard copy – remember, if your system goes down, you need to access it to action it.
Treat it like a fire drill
Having a plan is all well and good, but the key personnel must be able to execute it seamlessly in the event of an attack. Map out potential vulnerabilities and rehearse for the worst-case scenario – sealing the breach, beginning recovery, assessing and planning the next steps, establishing reporting lines, containing the attack and mitigating the damage. Use the drills to investigate, analyse and learn lessons. Ensure the right people are involved too – CEOs, CTOs, legal, IT and communications at a minimum. Keeping them in the loop is vital in ensuring the right people are able to handle risky situations, should they arise. It only takes one person being in the dark on how to approach a crisis to potentially escalate things.
Create a culture of compliance
A culture of awareness and compliance cannot be underestimated when it comes to increasing protections. Your staff are likely to be your biggest vulnerability – responding to scam emails, sharing or writing down passwords, or failing to carry out software updates. There must be a top-down approach that starts with the board and senior management, with an emphasis on removing any ‘fear culture’ around making mistakes. Introduce phishing tests and make sure policies like GDPR are baked into everything you do – cyber security must be part of the business DNA, not an add-on. Cyber security is too important to leave to the IT Department – it’s everyone’s job.
Limit your liability
A huge part of the ‘management’ element is contract management. The legal side of cyber security cannot be left to chance – you must ensure clear, robust contracts with customers and suppliers. A business that fails to manage its contracts properly can get stuck in a risky position. Just like ‘piggy in the middle’, it could be fully liable for its customers – having to reimburse delayed or damaged items or compensate for compromised personal data – but only able to claim limited compensation from suppliers. The key is limiting your own liabilities while ensuring fair compensation for your own business. And review your contracts on a regular basis – in line with reviewing your vulnerabilities and updating your business continuity planning. While some level of spend is required – on anti-virus, software updates and cyber insurance – people are crucial to protecting any business. Having the right culture, procedures, tools and contracts in place can significantly help to defend your company against cyber threats.
How we can help
Even with all the protection in the world, it’s unlikely businesses will be able to avoid them forever. The question isn’t if you’ll get hit – it’s when – and how badly? Having a robust training, skills and communications approach is the key to mitigating any damage. Cybersecurity should always be on the Board agenda, updated regularly, and embedded into the fabric of any business 24/7. Businesses might have a closing time, but hackers don’t.
Our expert team is ready to assist with the matters outlined, or contact douglas.mclachlan@andersonstrathern.co.uk.