What lessons in cyber resilience can be learnt from the UK high street attacks?

Since the Easter Weekend, Marks & Spencer (M&S), one the United Kingdom’s biggest high street retailers, has been managing the fallout of a cyber-attack on its business operations. This has forced the company to suspend online orders, led to shortages on shelves, increased working demands on staff and wiped £750 million off the share value.

Even three weeks later, there is still no indication of when these disruptions will end and when M&S will be able to return to business as usual. This uncertainty threatens to not only continue to impact profits but to inflict long-lasting reputational damage and undermine brand confidence.

The ongoing saga highlights the strategic importance of not only protecting key business operations from cyber threats but also minimizing the impacts of significant cyber incidents when they do occur.

This dual approach is known as cyber resilience and is the subject of new research between the Global Cyber Security Capacity Centre (GCSCC) and the World Economic Forum Centre for Cybersecurity.

Cyber resilience is a broad organizational approach to security that goes beyond traditional cybersecurity by acknowledging that no organisation is capable of being 100% secure anymore.

It encourages organizations to assume that significant incidents, like the M&S attack, will occur and to implement measures (both pre-, during and post-incident) that enable them to absorb, recover and learn from events.

The approach challenges entities to consider the many ways in which they are vulnerable and how they can limit the potential impacts. This might involve ensuring that business-as-usual operations can continue when system outages occur or limiting the harm that could arise from a compromise to the confidentiality of data, such as minimizing the impact on reputation.

Leading organizations are moving towards cyber resilience as a strategic priority to limit the impact of cyber incidents in the face of growing challenges.

According to the 2025 World Economic Forum’s Global Cybersecurity Outlook Report, 72% of organizations saw an increase in cybersecurity risks to their operations between 2024 and 2025. This trend is exacerbated by AI-enhanced attacks that are more sophisticated and scalable, increased geopolitical tensions and an unpredictable supply chain risk landscape, in addition to other factors.

In a visual sense, cyber resilient organizations are those that know how to shrink the circle of impact:

Achieving cyber resilience is a complex and ongoing process that requires more than just a single action or tool. Resilience cannot be standardized and the specific actions each organization takes to strengthen its cyber resilience will vary depending on its context.

However, lessons can be drawn from organizations’ front-line experiences and practical learnings. This latest research between GCSCC and the World Economic Forum outlines those practices used by global cyber leaders for improving the cyber resilience of their organisations.

The Cyber Resilience Compass aims to share these practices with other organizations and categorizes them into seven interrelated areas for establishing and enhancing resilience:

Stakeholders ought to consider these suggested cross-cutting areas to comprehensively adopt a cyber resilience approach within their organisation.

Informed by insights collected by leading cyber experts across geographies and industries, each category defines what resilience means in that particular area and lists examples of specific practices organisations have applied to advance their resilience.

These practices are further supported by illustrative real-world case studies provided by experts.

Ultimately, the aim for the Cyber Resilience Compass is not to only provide static insights but to become a vehicle for the exchange of front-line experiences – a dynamic tool that serves as a reference for cyber leaders to enhance their cyber resilience strategies.

While we do not yet know all the facts of the recent M&S cyber-attacks, they have provided yet another example of the costs of a business-as-usual approach to cybersecurity.

Thankfully, through resources such as the Cyber Resilience Compass, organizations are also equipped with practical examples of how to adapt their approach in a complex and evolving environment.

In today’s digitally-dependent world, cyber resilience should not be seen as an ideal but as an organizational imperative.

Businesses must assume that they will be the next victim of a significant cyber incident and leaders should act to prepare for, absorb, respond to and learn from incidents accordingly. If they do not, then it is only a matter of when they will be the next cautionary headline, not if.