Shifting our Cybersecurity Focus from Defence to Resilience.

In today’s cyber threat landscape, the question is not whether organisations will be hit, but when and how hard. What truly separates thriving organisations from those that struggle to survive isn’t their ability to prevent every attack, but their capacity to respond, recover, and emerge stronger when attacks inevitably succeed. It’s a shift to a resilience mindset.  

This reality became starkly apparent nearly four months ago when Marks and Spencer (M&S), one of the UK’s retail giants, suffered a devastating cyberattack that continues to reverberate through their operations today. The incident exposed employee and customer data, disrupted both online and physical operations, and has already cost the company at least $400 million in profits, a figure that’s likely to climb given that online sales represent roughly one-third of their clothing and home revenue. Their share price plummeted over 6% immediately following the breach, erasing more than £700 million in market value, while the damage to customer trust remains incalculable.  

But M&S wasn’t alone. Harrods and Co-Op were hit simultaneously in what security experts describe as a coordinated campaign targeting the entire retail sector. Meanwhile, across the globe, Australian superannuation funds have become prime targets in a series of sophisticated attacks that demonstrate how threat actors are now aggregating multiple smaller targets to maximise their impact. These fund attacks are particularly telling; they show that organisations of virtually any size can become vulnerable when attackers coordinate their efforts across entire sectors.  

The 2025 Australian superannuation attacks reveal a troubling evolution in cybercriminal strategy. Rather than focusing solely on large, high-profile targets, threat actors are recognising that hitting multiple smaller organisations simultaneously can be equally lucrative while often facing less robust defences. This approach turns every mid-sized company into a potential target, regardless of whether they consider themselves attractive to cybercriminals.  

The Real Wake-Up Call: It’s About Response, Not Prevention  

 The cybersecurity industry has spent decades obsessing over prevention – building higher walls, better detection systems, and more sophisticated monitoring tools. While these defensive measures remain important, the M&S incident and similar breaches highlight a more fundamental truth: every organisation will eventually face a successful cyberattack.  

M&S’s prolonged recovery period, still ongoing two months later, reveals the real vulnerability. Despite being a well-resourced, sophisticated organisation, they lacked the resilience capabilities needed to quickly restore operations. This extended downtime demonstrates that even companies with substantial cybersecurity investments can be devastated when they haven’t adequately planned for the inevitable breach.  

The organisations that emerge stronger from cyberattacks share one critical characteristic: they’ve invested heavily in resilience capabilities that enable rapid response and recovery. They understand that in our interconnected, digitally dependent world, resilience isn’t just a nice-to-have, it’s a competitive necessity.  

Three Critical Lessons for Building Organisational Resilience  

The M&S incident, combined with the broader pattern of attacks we’re seeing globally, offers three fundamental lessons that every organisation must internalise:  

1.Identity and Access Management Is Your First Line of Defence 

The M&S attack appears to have exploited weaknesses in their identity and access management (IAM) systems, a vulnerability that’s becoming increasingly common. In our hybrid work environment, IAM extends far beyond simple password management. It encompasses zero-trust architectures, multi-factor authentication, privileged access management, and continuous monitoring of user behaviour.  

Organisations must treat IAM as critical infrastructure, not an IT afterthought. When attackers can easily move laterally through your systems because of weak access controls, even the best perimeter defences become irrelevant.  

2.Employee Training Is Strategic Investment, Not Operational Expense 

Social engineering played a significant role in the M&S breach, reinforcing that human factors remain the weakest link in most security frameworks. But this isn’t about sending employees through another boring phishing awareness course once a year.  

Effective security training must be regular, realistic, and relevant to employees’ actual roles. Team members need to understand their critical role in the organisation’s security posture and be equipped to make good decisions under pressure. When employees truly understand the stakes and their role in protection, they become your strongest asset rather than your biggest vulnerability.  

3.Response Plans Must Be Living Documents, Not Shelf-Ware 

Much of M&S’s extended recovery time could likely have been prevented with a comprehensive, regularly tested incident response plan. Too many organisations treat their incident response documentation like insurance policies, something they hope they’ll never need and rarely review.  

Effective response plans must cover not just technical recovery but also communication strategies, legal requirements, vendor management, and business continuity. These plans need regular testing through tabletop exercises and simulations that reveal gaps before they matter in a real crisis.  

The Investment Imperative  

The M&S incident represents more than a cautionary tale, it’s a market signal about where value will be created in the coming years. Organisations that invest in comprehensive resilience capabilities will have decisive competitive advantages when attacks occur.  

This resilience spans multiple dimensions: physical resilience through backup systems and alternative suppliers, digital resilience via data recovery and system redundancy, and operational resilience encompassing crisis management and stakeholder communication. Companies that can demonstrate these capabilities will command premium valuations, attract top talent, and maintain customer trust even when facing successful attacks.  

The pattern we’re seeing in Australia, where coordinated attacks on superannuation funds show that no organisation is too small to be targeted, reinforces this imperative. When threat actors can aggregate multiple targets for maximum impact, every company needs to assume they’re in someone’s crosshairs.  

The Path Forward  

The question facing every business leader today isn’t whether their organisation will face a cyberattack – it’s whether they’ll be ready to respond, recover, and emerge stronger when it happens. M&S’s ongoing struggles show us the cost of being unprepared, while the coordinated attacks on Australian funds remind us that size offers no protection.  

The opportunity lies in learning from these incidents and building the resilience capabilities that tomorrow’s threats demand. In a world where successful attacks are inevitable, resilience isn’t just about survival, it’s about turning crisis into competitive advantage.