Cyberdise AG

The Rocky Road to Reducing Human Error (M&S Lost £300M to Phishing, May 2025)

The Marks & Spencer Cyber Attack Shows It

Large companies with complex organizations, many languages, multiple LMS systems, heterogeneous metadata landscapes and high process variance need cybersecurity awareness solutions that are designed to meet such challenges. Otherwise, employee awareness of cyber risks will degenerate into a farce or there is a risk of group-wide failure.

What happened?

A cyber attack disrupted delivery systems from M&S and led to empty shelves for days[1]. The damage is estimated at 300 million pounds. On May 21, 2025, Stuart Machin, CEO of M&S, announced that deliveries had been restored and that customers could once again find what they needed in Marks & Spencer stores. The situation is different for the M&S webshops, which will be out of operation until July 2025.

Machin also confirmed on May 21, 2025 that the incident was caused by a ransomware attack initiated by social engineering (phishing / business email compromise) [2]. Previously, the UK’s National Cyber Security Centre (NCSC) had warned that criminals launching cyberattacks on UK retailers were posing as IT help desks to infiltrate businesses.

What could have been done to prevent this?

If you ask cybersecurity specialists or your trusted chatbot, various recommendations emerge. See the summarized advice from Google and OpenAI:

  • ChatGPT: Strengthen Identity and Access Management; Enhance Employee Training; Develop and Test Incident Response Plans; Secure Virtual Infrastructure; Implement Zero-Trust Architecture
  • Gemini: Security Training; Robust MFA; Phishing Detection; Third-Party Risk Management; Incident Response Plans

The security recommendations make sense and the similarities are clearly recognizable. 

Cybersecurity awareness as a pillar of prevention?

The analyses of the Marks & Spencer hack lead to the conclusion that the human factor could have been better trained. Of course, an effective, far-reaching and employee-oriented cybersecurity awareness programme – or the lack thereof – is a critical weak point for any organization. However, large companies do not find it easy to implement good awareness programs. 

The Rocky Road to A Cybersecurity Awareness Program

Marks and Spencer has around 66,000 employees and a presence in 50+ countries. M&S operates various HR and learning management systems (Oracle HCM, JDA Workforce, etc.). The basic complexity of the processes, system architectures and culture of a company like M&S is a challenge in itself. And they are reflected in the requirements for a suitable cybersecurity awareness system.

In our experience, companies of the size and nature of M&S often have the following requirements for a cybersecurity awareness solution:

  1. Multilevel multi-tenancy to match the legal and organisational structure of the organization.
  2. The ability to manage multiple sources of employee master data for targeted or country specific rollouts.
  3. Enhanced technical infrastructure needs (APIs, whitelisting, reporting channels and possibilities). An Awareness solution needs to be nearly always to be integrated into a broader system landscape facing the challenges which occur in such cases. 
  4. Facilitating the coordination with privacy, works council, legal, and internal communications.
  5. Customizable and adoptable (Training & Testing) Content. This means that the trainings or phishes provide the possibility to be adopted to linguistic or cultural specialties with a high translation quality. On top of it they expect deep, immersive, and well-structured learning resources. 
  6. The ability to streamline processes like Master Data Management including User-Duplicates Management; Reducing Preparation Overhead over multiple organizational units; Stakeholder Integration including role- and permission-based Access for IT, Governance, Workers Council etc. 
  7. Simplified reporting and evaluation (results, pass rates), providing KPI’s and dashboards out of the box but also allowing exports or transfers into other reporting or analytics systems.

Product features of an awareness solution for large customers:

  • Multi-client capability across several levels
  • Multilingual, localized and customizable content
  • Automated whitelabelling of content
  • Role-specific tests and learning paths
  • Template libraries, authoring tools and AI-powered content creation to overcome the limitations of the libraries provided
  • Modular course design and a predefined curriculum
  • Teachable moments (awareness redirects)
  • Auto-reporting tool (Phish Button & Threat Analytics)
  • GDPR-by-design, no tracking without consent, different levels of anonymization
  • Interoperability between HR, LMS, Mail, AD, Analytics
  • Admin support tools, manuals/wiki and FAQs

It is Neither Easy Nor Cheap:

  • Phishing simulations and awareness training are not low-budget initiatives in businesses like M&S – they incur significant planning and operational costs unless thoughtfully integrated and automated.

It’s just like that: Large organizations need a cybersecurity awareness product by delivering adoptable and context-sensitive content, integrating seamlessly, automating workflows, and truly relieving internal teams – especially in large organizations. solution:

At CYBERDISE | Cybersecurity Awareness , we do everything we can to make all employees smarter and the company itself more secure, especially big ones!

So long, Palo Stacho

[1]ITV-News 21.05.2025 https://www.youtube.com/watch?v=1fdL9znFbm4

[2]BBC 21.5.2025 https://www.bbc.com/news/articles/c0el31nqnpvo

Enjoyed reading? Subscribe to our blog!

    Other Resources