
Cyber and Fraud Hub Appoints Alex Dowall as CEO Ahead of First Anniversary
The Cyber and Fraud Hub, Scotland’s only dedicated charity supporting individuals affected by cyber crime and fraud, announces the appointment of Alex Dowall as its…
Marks & Spencer, one of the UK’s most iconic brands, has found itself in the headlines. Not just because of its ‘Big Daddy’ pistachio chocolate bar launch, but because of a ‘cyber incident’. The specifics are still unfolding, but the response has triggered a debate in cyber and communication circles with some calling the company’s communication a textbook example of calm, practical handling of information. Others are asking how this cyber crime could happen in the first place, or it shouldn’t have happened in the first place.
It’s a familiar cycle in the aftermath of a cyber attack. We rush to judge. Questions are asked about ‘why wasn’t this prevented’, ‘where were the controls’, ‘who’s to blame?’. But rarely do we pause to acknowledge the fact that an organisation, just like an individual, has been targeted and victimised.
It begs the question, why is there so little sympathy for businesses that have a cyber attack?
If your local post office, supermarket or petrol station were robbed, you would acknowledge the employees and owners of the business as victims. They would be able to close the business and let staff come to terms with what happened, and customers would understand – but this does not happen with cyber attacks.
Maybe it’s partly because we cannot see the criminals that people forget it is a criminal act?
This reaction is part psychological, part cultural. There’s an ingrained belief that big businesses, especially those with sizeable IT and cyber teams, should be invincible and can’t experience cyber crime.
But here’s the truth. No one is immune. Not even multi-billion-pound organisations with robust cyber budgets.
The cyber threat landscape evolves daily. Criminal cyber crime gangs collaborate, share tools and innovate faster than many security teams can keep up. There are zero-day vulnerabilities, third-party exposures, supply chain risks – a never-ending list of moving parts.
When you listen to the learnings of previous attacks like the British Library, Arnold Clark, and SEPA we know that there is not much to say in the first few days, particularly around the technical transparency.
Here’s the thing: good communication is part of a good cyber response.
It’s not an either or. When done right, it reflects preparation, co-ordination between cyber and communication teams with a focus on keeping stakeholders informed. It also acknowledges that the communication messages are usually carefully crafted and have many sources contributing to them- legal teams, cyber insurance companies, sometimes law enforcement, and other agencies.
If we want to improve cyber resilience across society, we need to rethink how we respond to incidents, especially when the victims are individuals and organisations.
Victim shaming doesn’t encourage better security, it encourages secrecy.
It makes it harder for teams to report incidents early, share lessons learnt, or ask for help and also help us learn and gather vital intelligence after the attacks.
Instead, we need to develop a cyber culture where:
The core purpose of M&S is to “is to bring the magic of M&S through exceptional quality, value, service and innovation to every customer, whenever, wherever and however they want to shop with them”.
It is not to manage a cyber attack.
The responses so far to their incident will be analysed in cyber circles for many weeks to come. But maybe the most important takeaway is this: until we treat organisations as victims of crime, not culprits of incompetence, we’ll continue to miss opportunities to learn, collaborate, support and build a more resilient society.
We are lucky at the Cyber and Fraud Centre – Scotland to have an amazing Incident Response Cadre made up of Scottish organisations that understand victim support, and have walked the walk with many organisations going through a cyber attack here in Scotland over the last few years.
Contact us if you’d like to test your incident response plan, or would like to check your cyber culture – we are here to help.
Jude McCorry
(Not a cyber or recognised cyber expert!)