Cyber security breaches are on the rise and are changing shape constantly.

According to the National Cyber Security Centre’s (NCSC) Cyber Security Breaches Survey 2025, more than four in 10 businesses (43%) and three in 10 charities (30%) reported experiencing a cyber security breach or attack last year. High-profile attacks on businesses such as M&S provide real-time case studies for organisations that pay attention.

There are broader lessons to learn from these incidents. “In thousands of investigations, at least 50% of required actions after a cyber incident are non technical,” says Neil Hare-Brown, CEO of cyber security experts Storm Guidance. “These include understanding legal and contractual obligations, ransom negotiation, crisis PR, managing trauma among staff and engaging supply chain stakeholders. Many organisations still have not realised this.”

The basics: budget, people and plan

Key lessons also include adequate IT budgets. This should ideally be, according to Hare-Brown, at least 3% of revenue, rather than the sub1% common in many organisations, but staff awareness is equally important. He says: “Accountants, for example, are often targeted not with ransomware but with transactional fraud, email hijacking and theft of sensitive client data, which criminals can use for extortion."

The ‘facts’ about what's happening in a cyber incident often change rapidly and unpredictably, says Michael Hoare, former director of national security communications at the Cabinet Office. “It's tricky to communicate enough to help people adjust to the disruption, without speculating and giving out information that turns out to be false.”

Hoare adds: “All of these incidents show the importance and value of preparedness – accounting firms, from the big global players to much smaller companies, should make sure they have a comprehensive plan for when it happens to them, including how they'll communicate with their staff, customers and suppliers."

The NCSC has a published standard on cyber incident response. However, says Hare-Brown, this is focused on the technical aspects. “Most initial points of compromise are not highly advanced technical attacks but social engineering attacks on human beings,” he says.

“In most attacks the weak link is a human being, rather than advanced hacking but many organisations still view cyber attacks as an IT security problem – a purely technical issue and that misunderstanding enables criminals to take advantage.”

Here are four lessons that can be learned from the M&S case and similar breaches.

1. M&S – be prepared

In May 2025, M&S revealed that some customer personal data was stolen in an attack that cost the UK retailer a reported £43m a week in lost sales.

The M&S response is telling, says Hare-Brown: “Chairman Archie Norman, when interviewed by a parliamentary committee, described feeling ‘like a rabbit caught in the headlights’. That suggests a lack of preparedness. He should have participated in exercises and been familiar with how to respond to such incidents.”

According to Hare-Brown, Norman avoided directly confirming that the company paid a ransom but, “the long recovery time strongly suggests that they did”. He continues: “If their backups had been complete and functional, recovery would have been faster; instead, backups were likely insufficient or compromised, requiring ransom payment for data restoration.”

Lesson learned: Have robust backups and ensure you’re prepared for incidents.

2. British Library – update your technology

In 2023, the British Library’s website went down for almost a month after a cyber attack by a ransomware gang that accessed employee data.

The British Library’s main problem, it seems, was legacy technology. “Over years, they had acquired disparate, under maintained systems that were integrated chaotically,” says Hare-Brown, “When ransomware hit, recovery was extremely difficult. They also lacked ‘forensic preparedness’, so encrypted systems and destroyed logs left investigators unable to determine the point of compromise with certainty, delaying recovery.”

However, he adds, “They were very open after the attack and shared lots of information, including the digital investigators report.”

Lesson learned: Invest in up-to-date systems and keep meticulous records.

3. TfL – watch your incident response costs

In September 2024, Transport for London (TfL) suffered a breach that caused £39m of damage and disrupted TfL services for three months.

In TfL’s case, says Hare-Brown, incident response costs charged by the appointed incident response provider were extraordinarily high, raising questions about exploitation of victims by unscrupulous suppliers.

He says: “Since Covid, some IT service providers have added ‘incident response’ to their offerings despite lacking experience, harming victims who do not know what a competent response looks like.

“Even NCSC-assured providers are assessed only on technical capability, not non-technical needs such as legal, PR, or ransom negotiation expertise, despite more than half of incident actions being non technical.”

Lesson learned: Do due diligence on your incident response provider.

4. Co-op – have an ‘unplugging’ plan

Attackers targeted Co-op's IT networks in April 2025, infiltrating and extracting some member contact data, names, addresses and phone numbers. However, no passwords or financial data were compromised. Despite some downtime, Co-op recovered faster than M&S, which had to suspend online sales for six weeks.

Co-op's quicker recovery suggests better backups and network segmentation, says Hare-Brown: “The decision to unplug everything was significant because it stopped the attack from spreading and encrypting all systems.” This can be risky due to the huge implications of such a move, but Co-op did it and limited the damage.

Lesson learned: Have the confidence to unplug.