What lessons in cyber resilience can be learned from the UK high street attacks?

Dr. Patricia Esteve-Gonzalez from Oxford University’s Global Cyber Security Capacity Center (GCSCC), Department of Computer Science, and Luna Rohland from the World Economic Forum Center for Cybersecurity, outline how organizations can take a strategic approach to minimizing the impacts of cyber-attacks.

Since the Easter Weekend, Marks & Spencer (M&S), one of the United Kingdom’s biggest high street retailers, has been managing the fallout of a cyber-attack on its business operations. This has forced the company to suspend online orders, led to shortages on shelves, increased working demands on staff, and wiped £750m off the share value.

Even three weeks later, there is still no indication of when these disruptions will end and when M&S will be able to return to business as usual. This uncertainty threatens to not only continue to impact profits, but to inflict long-lasting reputational damage and undermine brand confidence.

The ongoing saga highlights the strategic importance of not only protecting key business operations from cyber threats but also minimizing the impacts of significant cyber incidents when they do occur. This dual approach is known as cyber resilience, and is the subject of the Cyber Resilience Project from the Global Cyber Security Capacity Center (GCSCC) and the World Economic Forum Center for Cybersecurity.

What is cyber resilience?

Cyber resilience is a broad organizational approach to security that goes beyond traditional cybersecurity by acknowledging that no organization is capable of being 100% secure anymore. It encourages organizations to assume that significant incidents, like the M&S attack, will occur, and to implement measures (both pre-, during and post-incident) that enable them to absorb, recover, and learn from events.

The approach challenges entities to consider the many ways in which they are vulnerable and how they can limit the potential impacts. This might involve ensuring that business-as-usual operations can continue when system outages occur or limiting the harm that could arise from a compromise to the confidentiality of data, such as minimizing the impact on reputation.

Leading organizations are moving towards cyber resilience as a strategic priority to limit the impact of cyber incidents in the face of growing challenges. According to the 2025 World Economic Forum’s Global Cybersecurity Outlook Report, 72% of organizations saw an increase in cybersecurity risks to their operations between 2024 and 2025. This trend is exacerbated by AI-enhanced attacks that are more sophisticated and scalable, increased geopolitical tensions, and an unpredictable supply chain risk landscape, in addition to other factors.

How can cyber resilience be achieved?

Achieving cyber resilience is a complex and ongoing process that requires more than just a single action or tool. Resilience cannot be standardized and the specific actions each organization takes to strengthen its cyber resilience will vary depending on its context.

However, lessons can be drawn from organizations’ front-line experiences and practical learnings. This latest research between GCSCC and the World Economic Forum outlines those practices used by global cyber leaders for improving the cyber resilience of their organizations. The Cyber Resilience Compass aims to share these practices with other organizations and categorizes them into seven interrelated areas for establishing and enhancing resilience:

• Leadership: setting goals, making decisions and providing direction in relation to cybersecurity.
• Governance, Risk and Compliance: concerns mechanisms for managing risk and meeting compliance requirements.
• People and Culture: strategies and practices for building and retaining a workforce.
• Business Processes: approaches to prioritizing, designing, implementing and adapting functions.
• Technical Systems: approaches to designing, deploying, and maintaining Information Technology, Operation Technology, cloud and cybersecurity tools and controls.
• Crisis Management: components used to respond to and recover from incidents and other crises that affect its resilience.
• Ecosystem Management: an organization’s approach to its wider ecosystem, including its supply chain, customers, competitors, and regulators.

Stakeholders ought to consider these suggested cross-cutting areas to comprehensively adopt a cyber resilience approach within their organization. Informed by insights collected by leading cyber experts across geographies and industries, each category defines what resilience means in that particular area and lists examples of specific practices organizations have applied to advance their resilience. These practices are further supported by illustrative real-world case studies provided by experts.

Ultimately, the aim for the Cyber Resilience Compass is not to only provide static insights but to become a vehicle for the exchange of front-line experiences—a dynamic tool that serves as a reference for cyber leaders to enhance their cyber resilience strategies.

Heeding the lessons from the high street

While we do not yet know all the facts of the recent M&S cyber-attacks, they have provided yet another example of the costs of a business-as-usual approach to cybersecurity. Thankfully, through resources such as the Cyber Resilience Compass, organizations are also equipped with practical examples of how to adapt their approach in a complex and evolving environment.

In today’s digitally-dependent world, cyber resilience should not be seen as an ideal, but as an organizational imperative. Businesses must assume that they will be the next victim of a significant cyber incident, and leaders should act to prepare for, absorb, respond to, and learn from incidents accordingly. If they do not, then it is only a matter of when they will be the next cautionary headline, not if.