What Recent UK Retail Attacks Teach Us About Holistic Cybersecurity

The recent cyberattacks on UK retail giants didn’t hinge on exotic zero-days or state-sponsored malware. They began, as so many breaches do, at the intersection of human behaviour, third-party exposure, and strategic business choices that failed to fully account for cyber risk. If your organization still treats security as an IT problem to be solved with tools, these events should serve as a wake-up call.

This blog argues that the recent incidents serve as a reminder of the value of a holistic cybersecurity approach. This approach must embed cybersecurity risk thinking across the organization, from procurement to policy, from culture to code.

A Trio of Cyber Hacks on British Retailers: Marks & Spencer, Co-Op, and Harrods

Three high-profile attacks in April and May 2025 put British retail cybersecurity firmly in the spotlight. The first and most serious hit Marks and Spencer, and the consequences are still being felt. In late April, the company halted online orders in response to a ransomware attack, and the ability to order online isn’t expected to resume properly until July. Customers at M&S outlets saw empty shelves in some cases, and some had their data stolen in the attack. Financially, the M&S breach is expected to result in a 30 percent hit to profits, a huge chunk of the company’s annual earnings.

The second attack was on Co-op, the UK’s fifth-biggest food retailer. An infiltration by threat actors was noticed by the company’s IT team, who took pre-emptive action and shut part of the network down to fend off a potential ransomware installation. This attack also led to real-world consequences, with many shoppers finding empty shelves in Co-op branches around the UK.

Harrods, another household name in British retail, became the third company in quick succession to get hit during this wave of attacks. The outcome here wasn’t as bad as in the M&S or Co-op incidents; the company’s website went offline for a brief time. Fast action prevented things from escalating.

Common sense and expert opinion suggests that the three attacks were linked. The threat group Scattered Spider are believed to be responsible for all three attacks. Interestingly, recent developments suggest the M&S incident, and perhaps the Co-Op attack, began with infiltrating a third party company. Investigations continue to ascertain whether a breach of Tata Consultancy Services (TCS), used by M&S for IT helpdesk functions, was the gateway for these ransomware attacks.

That decision, to outsource a core function like IT support to a cheaper offshore vendor, may have made financial sense on paper. But was it evaluated through a cybersecurity lens? This is where holistic thinking becomes essential.

What is Holistic Cybersecurity All About?

If you’ve been in security long enough, you’ve probably seen it: a company invests heavily in best-in-class tools like next-gen firewalls, AI-driven detection platforms, the works — and still falls victim to a breach that started with something as simple as a spoofed email or a supplier with lax controls.

Holistic cybersecurity is about stepping back. It’s about recognizing that cyber risk doesn’t live only in your infrastructure. Incidents and breaches can happen because of risks in your people, your policies, your culture, your vendors, and your supplier blind spots. It’s the understanding that a breach rarely results from a single point of failure, and almost never from purely technical causes alone.

Yes, technical controls are critical. You need threat detection. You need strong IAM. You need cloud posture management. But if you stop there, you’ve only hardened the perimeter. Smart hackers attack behaviors, processes, and assumptions.

That’s where the non-technical side comes in with:

Social engineering defenses that go beyond basic phishing training and actually simulate the tactics attackers use today, like MFA fatigue, deepfake audio, and internal compromise.

Policy design that’s not written in isolation by compliance teams, but shaped by how people actually work, including the shortcuts they take under pressure.

Incident response playbooks that account for cross-functional confusion, legal hesitation, like not knowing about reporting deadlines with rules like NIS 2, and the political realities of declaring a breach.

Decisions about outsourcing and contracting business functions to third parties that don’t just weigh up cost savings, but also think about cyber risks.

Culture. The kind where employees feel safe reporting mistakes and leadership doesn’t shoot the messenger.

Now, why do so many organizations still treat cybersecurity as a problem to be solved with technology alone?

A few reasons. First: vendor marketing. The security industry thrives on promising certainty with sweeping statements like “our platform stops 99.9% of threats”. This works because fear sells and complexity doesn’t. But it encourages a worldview where if you just buy the right tool, you’re safe.

A second big reason is technical bias at the top. Many CISOs come from engineering or infrastructure backgrounds. Their instinct is to solve problems with architecture and automation. That’s understandable; after all, it is the domain they control and know about. But people don’t behave like systems. And no amount of tooling can compensate for a toxic culture, an overworked frontline, or a third-party vendor getting compromised, like in the M&S attack.

Benefits of Holistic Cybersecurity

In practice, holistic cybersecurity means embedding security thinking into every layer of operations, not just within the IT or SOC team. Holistic cybersecurity also means aligning business strategy with cyber risk posture. It forces the question: are we saving money, or just transferring risk to a part of the organization we don’t control? In the M&S case, the answer was clear, and risk came back with a vengeance.

Some benefits you can expect from stepping back and looking at security this way are:

1. Fewer blind spots. You catch the weak points that tools can’t see, like cultural pressure to stay silent after clicking a suspicious link, or departments quietly shadowing IT with unauthorized SaaS tools.
2. Stronger incident response. When security is embedded into cross-functional workflows, your company and teams move faster and more coherently under pressure. You don’t waste precious hours figuring out who owns what or waiting for approvals.
3. Better ROI from your tools. Your expensive detection platforms work better when the upstream processes feeding them, like access provisioning, employee awareness, and vendor controls, aren’t leaking risk.
4. More resilient supply chains. By evaluating third-party risk and decision-making in operational terms, not just via checklists, you reduce the chance of inherited breaches from partners, suppliers, or outsourced functions.

DIESEC’s range of services can help your business move to a more holistic cybersecurity approach.

We’ll conduct phishing simulations that assess the strength of employee awareness rather than just your technical barriers against intrusion. We also have GRC services that offer expert guidance to step back and view the bigger picture of robust governance, identifying unseen risks, and managing compliance challenges.

Contact us to learn more.