We have been here so many times before. The saying goes that those who fail to learn from history are doomed to repeat it. It turns out that those who do are doomed to look on helplessly.
The Marks & Spencer (M&S) cyber hack has knocked about €800 million, 10 per cent, off its share price since Easter. History indicates that the retail giant should have been ready but also that macro circumstances meant somebody huge, whether it was M&S or not, was likely to err on this level.
You can take your pick when it comes to successful cyber attacks to compare this to. Close to home, the Health Service Executive hack of 2021 comes to mind, although a trick of the mind for many knocks a year off due to its association with the pandemic.
Wannacry was the loudest example of recent times, with an enormous impact back in 2017. We can go to the Bangladesh bank heist of 2016, the Sony hack of 2014, or the TJX (owner of TK Maxx) hack of the mid-2000s.
All of these were enormous, costly, and the result of social engineering. As the M&S hack, like all of these, was of that nature, the natural approach is to think it all comes down to a non-technical person being tricked.
The late Kevin Mitnick held a different view. The security expert, who was previously a hacker known as the Condor, felt that mindset misses the point. His thesis was that if a company knows its weak point is its end user, then it should act to protect that end user from being exploited.
[ M&S struggles to get on top of ‘cyber incident’Opens in new window ]
When these kinds of breaches happen, the question being asked should be, what else needed to happen in order for such an exploit to be possible? The answer, all too often, is very little.
The skills shortage globally has been one that has been warned of since before pandemic times. Indeed, Google any one of that list of cyber hacks earlier in the article and concerns about the sufficient availability of skilled IT security staff will be found in most of the coverage.
This is a decades-long problem that is compounding with time. It is one made weaker by security fatigue. Essentially, every time a security expert warns a business of a potential threat, it gets used to the warnings. Over time, especially if most or all of these are averted, apathy sets in and the level of risk is ignored.
Then, after years of a company not realising how much work had been done to prevent an attack or how close it had come to being hit, the breakthrough comes. There’s an air of surprise in the organisation, but the symptoms are clear.
Will DoorDash takeover of Deliveroo mean better pay and conditions for gig economy workers?
In an era where these skills are only increasing in demand, more and more organisations are flying closer to the sun than they realise.
We should expect more of these and not just because of that shortage. The current macro conditions are ideal for emboldening both high grade professional hackers, like the Scattered Spider group being blamed for the M&S hack, and state level actors.
Tensions over global tariffs and what they could mean for business, including the impact on supply chains, present a golden opportunity for nefarious actors. Business leaders are somewhat stretched thin when it comes to their priorities.
The immediate big concern of tariffs naturally has the lion’s share of their attention. Add to that the under-resourcing of IT teams globally and there’s a lot of low-hanging fruit waiting to be picked off.
[ Marks & Spencer apologises to customers over ‘cyber incident’Opens in new window ]
It’s grim-looking and Marks & Spencer will likely be followed by more hacks of its ilk soon. That doesn’t mean that nothing can be done to reduce the likelihood substantially, in the near and long term.
The Mitnick mindset needs to be at the core of the approach to security. Quite frankly, a chief executive should put themselves in the shoes of their front-line employees. If the boss isn’t the most IT-savvy person in the organisation, how can they expect those at the coalface to be?
With that in mind, protecting that point of vulnerability should be about doing all possible so that it should never have to worry about being targeted. IT protocols should be in place to make it impossible for that weak link to bring everything down inadvertently.
That’s the short term. The long-term strategy requires a rethinking of how we develop IT talent. It was an area I wrote about two weeks ago but the short version is that we need more pipelines. Keep building the third-level route but supplement it with apprenticeships and lifelong upskilling.
Anything less than that is putting a band-aid on a bullet wound. The Marks & Spencer hack was costly and avoidable. What feels inevitable is another hack that shows industry has learned nothing from it.
