Over the past few weeks and months, a series of high-profile incidents have sent a clear message to UK business leaders, IT directors and finance heads: cyber risk is no longer theoretical and operational disruption is just one exploit away.

• Marks & Spencer was hit by a damaging cyberattack in April 2025, disrupting key systems and denting profits by an estimated £60 million.
• Harrods was targeted shortly after, launching an investigation into unauthorised access attempts.
• The Co-op experienced nationwide IT failures, shutting down self-service tills and payments.
• And in April, Spain and Portugal’s power grid buckled, with outages linked to satellite communication failures, potentially the result of cyber interference.

These weren’t isolated glitches. They’re symptoms of a much deeper problem: supply chain weaknesses, digital fragility and a lack of resilience in many mid-sized organisations.

What You Need to Learn Now

Whether you’re a company owner, an IT lead managing a lean team or a finance director trying to control costs, these incidents are a strategic red flag.

Here’s what most coverage isn’t telling you and why it matters for your business:

💡 1. The most dangerous risks aren’t even in your building

M&S was compromised through a third-party payroll system. Harrods’ IT estate may have been probed from outside. The problem? You’re now responsible for systems you don’t fully control.

Modern IT environments are stitched together with cloud apps, outsourced platforms and legacy suppliers. That fragmentation is your new attack surface and attackers know it.

Takeaway: Start asking harder questions of your suppliers. Review access permissions, security certifications, and breach histories. Make it someone’s job to manage third-party risk continuously not just during procurement.

💡 2. Not all incidents are “attacks” but they’re just as costly

The Co-op’s IT breakdown wasn’t labelled a cyberattack. The Iberian blackout might have started as a satellite fault. But the business impact? Still catastrophic. Shops couldn’t trade. Networks failed. Critical systems were offline.

This is the hidden truth: you don’t need to be “hacked” to suffer like you were.

Takeaway: Rethink your incident response plans. Build scenarios around digital denial not just malware. What if you lose phones, broadband, power, or access to your cloud platforms for a day?

💡 3. Cybersecurity is no longer “IT’s job”, it’s a board-level risk

If your business still treats cybersecurity as a technical problem, you’re behind. These events impact operations, revenue, customer trust and legal liability; which makes them finance, risk and governance issues.

M&S’s estimated loss from their breach? Over £60 million in revenue.
What would that look like for your organisation…even scaled down?

Takeaway: Use financial language to drive decisions. Quantify risk exposure. Model downtime costs. Link cybersecurity investment directly to continuity, compliance and client confidence.

💡 4. Your old systems are open doors

Let’s be blunt: every business has technical debt. Old Windows servers, on-prem PBXs, clunky finance systems “that still work.” But attackers actively scan for these weak spots because they’re easy to exploit and rarely patched.

And in regulated sectors, they’re also a compliance red flag.

Takeaway: Catalogue and triage your legacy systems. Build a phased replacement plan starting with anything that can’t be monitored, backed up or protected.

💡 5. Cyber insurance won’t save you if you’re not compliant

Many business leaders are quietly assuming they’re covered. But insurers are tightening terms. If you haven’t implemented multi-factor authentication, endpoint protection, staff training and robust backups; you might not be covered at all.

Takeaway: Review your policy. Don’t just pay the premium check the fine print. Align your security strategy with the insurer’s current requirements.

Final Word: Don’t Wait for Your Wake-Up Call

M&S, Harrods and Co-op have PR teams, disaster recovery budgets and legal muscle. If they can’t avoid disruption, smaller organisations are even more exposed.

This isn’t just about hackers. It’s about resilience.

It’s about keeping your business running when and not if…something goes wrong.

So, ask yourself:

• Are your systems resilient?
• Are your suppliers secure?
• Are your teams trained?
• Are your backups working?
• Are you ready?

If not, now’s the time to act.