When Marks & Spencer hits the headlines for a cyber attack, every business should sit up, spill their coffee, and say, “what would we do?”
In case you missed it, M&S recently confirmed their ongoing cyber attack exposed customer data including names, contact info, dates of birth, and even online order history. Currently, they believe that no payment details or passwords were compromised, but let’s be honest: that’s still a massive GDPR headache, a customer trust issue, and a PR migraine all rolled into one.
It’s a brutal reminder that even the most trusted brands aren’t immune – and neither are you. M&S is a billion-pound brand with resources, IT teams, and a reputation for doing things properly – and they still got hit. Imagine how much harder it would hit a smaller or mid-sized business without a crisis team and a dedicated IT department.
We can help you not to become the next newspaper story – and to start, here’s a quick, no-fluff guide to making sure your business doesn’t become a media star!
Step 1: stop being the weak link
Over 80% – yes, more than 8 out of 10 data breaches – are caused by human error. That means the biggest cyber threat to your business isn’t a hoodie-wearing hacker in a basement… it’s Bob in finance with a suspicious link and a curious streak.
What to do:
- Train your team regularly, not just when something breaks or an incident occurs. Make it part of your culture.
- Simulate phishing attacks to keep them sharp.
- Make training practical, engaging, and a little scary (because it should be).
WE CAN HELP: train 8 staff, get 2 courses free. You train the 8 – we’ll cover the 2 you didn’t know were a risk.
Step 2: password hygiene isn’t just a buzzword
Your systems and data need to be protected and that starts with a strong password. Best practices:
- Enforce strong, unique passwords (no “qwerty” or “companyname123”).
- Roll out multi-factor authentication wherever possible.
- Use a password manager so no one has to remember 73 combinations.
And no, Post-It notes under keyboards don’t count as “secure storage.”
Step 3: phishing isn’t just for the naïve
Today’s phishing emails are slick. They spoof suppliers, mimic banks, and even “look” like internal messages. The moment one of your team clicks a fake invoice or enters details on a bogus form, it’s game over.
Train your team to:
- Pause before they click.
- Be aware of voice phishing (“vishing”) attempts.
- Check sender email addresses.
- Report anything suspicious, no matter how minor.
Step 4: know what to do when things go wrong
If you’re breached, time is everything. Under UK GDPR, you’ve got 72 hours to notify the Information Commissioner’s Office (ICO) and, where applicable, inform affected individuals.
M&S got this part mostly right – they owned the breach, communicated quickly and publicly, and started password resets. But the damage to reputation? That’s harder to patch. Let us help you get your data breach procedure ready and up to date in our platform.
Step 5: prevention is better than a PR disaster
If you’re reading this thinking, “We should probably sort this out,” the time to act was yesterday – but today will do. Let Data Compliance Pro do the hard work and get your plan in place and your team trained from just £32 per month.
Your to-do list:
- Train staff (and keep training them). Click here to start training your team.
- Review password policies and MFA.
- Check your data breach response procedure.
- Review who has access to what.
- Keep your GDPR documentation up to date.
It’s not just about staying compliant. It’s about protecting your customers, your partners, and your reputation.
Train your team. Protect your brand. Don’t be the next headline.
Want help getting started? We’ll help you build a cyber-safe, GDPR-compliant business that’s actually prepared for what’s coming. Own compliance with Data Compliance Pro.