By Martyn Janes, Lead Cyber Underwriter at rrelentless
When high-profile retailers like Marks & Spencer, the Co-op and Harrods suffer major cyberattacks, the impact is immediate and visible – millions in lost revenue, customers left frustrated and headlines that erode trust. The series of incidents is more than a coincidence – it’s a stark reminder that no organisation is safe from disruption in an increasingly digital world, whether it’s a multinational retailer or an independent business.
For SMEs, many of whom are part of these wider retail and supply networks, the message is clear: cyber resilience is no longer optional. From stolen employee data to disrupted systems and lost productivity, the financial and reputational consequences of cyber incidents are real and are on the rise.
A Visible Reminder of Hidden Risk
The M&S breach, attributed to the Scattered Spider hacking group, is now expected to reduce the retailer’s operating profit by £300 million, with disruption to its £1.3 billion fashion and homeware arms expected to continue for months. According to the company, the attack originated via a third-party contractor, underscoring how vulnerable businesses are through even indirect access points.
The Co-op, meanwhile, confirmed an attempted breach that led to the shutdown of key IT systems to contain the damage. Attackers reportedly used social engineering tactics to impersonate employees and manipulate help desks into resetting credentials, gaining unauthorised access to internal systems. Approximately 20 million members’ personal data may have been compromised.
Shortly after, Harrods was reportedly struck by threat actors claiming to be part of what appears to be the same coordinated campaign, sharing similar tactics such as identity fraud, phishing and IT desk impersonation.
These stories capture public attention, but they reflect a broader, quieter crisis unfolding across the SME sector; one with far fewer safety nets and much higher survival stakes.
The SME Paradox
From where I sit, working with SMEs daily on cyber risk and insurance, the pattern is clear – risk is increasing, but preparedness isn’t keeping pace.
What we’re seeing now isn’t new; what’s different is the visibility. Incidents involving big brands draw attention to issues like ransomware, phishing, supply chain compromise and credential theft. These threats are just as relevant for SMEs, though perhaps less frequently reported.
SMEs rely on the same technologies and third-party systems as large corporations but often lack the layered defences, breach response plans, or internal expertise. This makes them low-hanging fruit for attackers. Yet many still underinvest in cyber protection, including insurance, leaving them dangerously exposed when an incident occurs.
SMEs Must Shift from Reactive to Proactive
For SMEs to compete and survive in today’s risk landscape, a structured approach to cyber resilience is imperative. The first step is awareness. From there, it’s about building habits, systems and partnerships that help SMEs respond confidently, not just reactively, when something goes wrong. Here are five steps SMEs can take now to harden defences and reduce exposure:
- Start with people. Human error remains the number one cause of breaches. Invest in employee training to spot phishing, protect credentials and report anomalies early.
- Limit access to data. Ensure staff only have access to what they need. This reduces the impact radius of any breach.
- Keep systems up to date. Outdated software is a low-hanging fruit for attackers. Regular patching is essential.
- Establish a response plan. This should be rehearsed and understood by both technical and non-technical staff. Clarity during a crisis can save hours—and reputations.
- Integrate insurance with response. Look for cyber insurance that includes 24/7 breach support, legal guidance and comms advisory—not just financial coverage.
Final Thought
If the recent cyber incidents highlight anything, it’s that cyber threats are prevalent and can affect businesses of all sizes. Preparedness isn’t optional, and it can’t be left solely to IT. It’s a strategic concern that demands attention across the business. For SMEs, resilience means more than firewalls and passwords. It includes planning, training and having the right support in place when things go wrong. That support may include cyber insurance, not just as a safety net, but as part of a broader strategy to protect what matters most – customer trust, business continuity and long-term growth.
