In April 2025, cyberattacks targeting Marks & Spencer and the Co-op highlighted a stark reality: even the most well-established organisations are not immune to disruption. These incidents led to operational downtime, exposed sensitive data, and carried significant financial fallout. For small and medium-sized enterprises, they serve as a timely reminder. Cybersecurity for small businesses has never been more critical. These high-profile breaches demonstrate that SMEs face many of the same risks as larger organisations—and underscore the need for proactive, robust protection.

What Actually Happened?

M&S: Supply Chain Weakness Exposed

A cybercriminal group known as “Scattered Spider” targeted third-party systems connected to M&S. The result? Disrupted operations and an estimated £300 million loss. It was a clear case of supply chain risk—where vulnerabilities in partner systems cascade down to affect core business functions.

Co-op: Data Breach and Ransomware

Co-op was hit by a ransomware attack, believed to be the work of the group “Dragonforce.” Although their core systems remained functional, member data was stolen. It exposed shortcomings in their incident response and highlighted the importance of containment and recovery planning.

Cybersecurity Best Practices for Small Businesses

At MirrorSphere, we support SMEs in building resilient, secure systems. Here are ten actions you can take today to reduce your exposure:

1. Secure Your Supply Chain

• Work only with suppliers who meet security standards like Cyber Essentials or ISO 27001.
• Ensure contracts include clauses around cybersecurity and incident responsibility.
• Limit third-party access to only what’s strictly necessary.

2. Enable Multi-Factor Authentication (MFA)

• Use MFA across email, cloud platforms, and VPNs.
• App-based authenticators (like Microsoft or Google Authenticator) offer stronger protection than SMS codes.

3. Keep Systems Patched and Updated

• Enable automatic updates where possible.
• Schedule regular reviews to patch critical applications and devices.

4. Follow the 3-2-1 Backup Rule

• Keep 3 copies of your data, on 2 types of media, with 1 stored offsite or in the cloud.
• Test your backups quarterly to ensure you can restore quickly if needed.

5. Educate Your Team

• Deliver regular security awareness training.
• Use phishing simulations to identify weak spots and measure improvement.

6. Use Endpoint Detection and Response (EDR)

• EDR tools help detect threats early and isolate affected systems.
• Look for solutions that monitor for ransomware-specific behaviour.

7. Create and Test an Incident Response Plan

• Clearly document response steps and escalation contacts.
• Run tabletop exercises to make sure everyone knows their role.

8. Implement Role-Based Access Control (RBAC)

• Only give users access to the data and systems they need.
• Review permissions every six months to ensure nothing slips through the cracks.

9. Harden Email Security

• Use spam filters and scan attachments and links.
• Implement SPF, DKIM, and DMARC to protect against spoofing.

10. Review Cyber Liability Insurance

• Check coverage for ransomware, data loss, legal fees, and business interruption.
• Understand what is excluded before signing.

What This Means for SMEs

You may not have the budget or in-house team that large retailers do—but you do have options. Proactive steps like MFA, backup testing, and employee training make a measurable difference. And with the right IT partner, you don’t have to face these challenges alone.

Final Thoughts

The M&S and Co-op attacks are a reminder that cyber threats don’t discriminate by business size. What matters is preparation. By focusing on proven fundamentals—and partnering with providers who understand security—you can keep your business resilient and responsive, no matter what’s thrown your way.

Need Help Securing Your IT?

At MirrorSphere, we provide trusted, security-focused IT services for small and mid-sized businesses. If you're unsure where to start or want a second pair of eyes on your current setup, get in touch for a no-obligation review. We’re here to help.