Latest news with #CyberSecurityBreachesSurvey
The Independent
29-04-2025
- Business
- The Independent
M&S shelves hit by shortages as retailer reels from cyberattack
There were empty shelves at some Marks & Spencer stores on Tuesday as the company reels from a cyberattack, with one expert warning it could still take days for the retailer to resume normal operations. The retailer confirmed there were 'pockets of limited availability' in some shops as a result of its 'decision to take some systems temporarily offline' in response to the attack – but said it was 'working hard' to get availability back to normal. M&S has been grappling with a major 'cyber incident' for more than a week now, in an incident which first caused problems for its contactless payments and click and collect orders and has since wiped millions off its market value. Last Friday, it paused orders through its website and app, which have remained down as it tries to resolve the problem. A hacking group operating under the name Scattered Spider and claimed to involve British and American teenagers has been linked to the attack, according to reports, with tech news outlet Bleeping Computer first linking the hacking group to a potential ransomware attack. According to The Telegraph, investigators believe the attackers used a hacking tool from a group known as DragonForce, which bills itself as a 'ransomware cartel', to carry out the breach. Professor Alan Woodward, a cyber security expert at the University of Surrey and former adviser to the EU's law enforcement agency Europol, told The Independent that although little is known about the nature of the cyberattack, it could still feasibly be days before M&S is able to resume operations. 'I suspect one of reasons it's taking so long to do all of this is an abundance of caution being exercised – and what they're doing is they are turning over every rock and making sure there's nobody still in there,' said Prof Woodward. 'Because one of the worst things is if a hacker has got in, let the ransomware go, and they can persist on the network, then you might clear it – you might get out of it [the attack] – but they'll just pop back up again.' He added: 'M&S find themselves in a very difficult place. They know they're losing money hand over fist, but at the same time they don't want to put the systems back on prematurely until they can be absolutely sure that they're safe to use.' 'These systems take a long, long time to build so you can imagine they take a long, long time to analyse as well,' said Prof Woodward. 'The software's incredibly complicated, you've got big systems interoperating with each other, so there's a lot of little nooks and crannies to hide [in].' The latest Cyber Security Breaches Survey, published by the UK government earlier this month, showed that four in 10 businesses were affected by a cyber attack or breach in the last year – a slight drop on the previous year. Describing the UK as being 'probably better prepared than many other countries', Prof Woodward said: 'Most of the big companies actually do work with our National Centre for Cyber Security, and they share intelligence. ' He added: 'So as soon as M&S was hit that would be flagged to everybody else and they would be able to look for indicators of compromise and see if anything had happened to their own system. Noting that 'there are hundreds of attempts a day on these companies to try and penetrate their networks, Prof Woodward continued: 'What we're seeing here is that one success out of a hundred that's got through on one company, and it's having a major impact. 'If they manage to paralyse the right bit of an organisation, they can just stop it trading.' M&S has been approached for comment.
Yahoo
10-04-2025
- Business
- Yahoo
Four in 10 UK businesses hit by cyber attack or breach in last year
The number of businesses reporting a cybersecurity breach or attack in the last 12 months has fallen slightly compared with the previous year, according to British government figures. The annual Cyber Security Breaches Survey found that 43% of businesses and 30% of charities had experienced a breach or attack in the last year, which for businesses was down from 50% last year. The report said the decrease was down to fewer small businesses reporting attacks, but warned that the prevalence of breaches among medium and large businesses remained high. According to the figures, it was estimated that the average cost of the most disruptive breach for each business in the last 12 months was £1,600 ($2,000) for businesses and £3,240 for charities. Cyber attacks on businesses and infrastructure have become increasingly common, and the Government has unveiled plans to introduce new legislation – the Cyber Security and Resilience Bill – designed to compel firms to beef up their cyber defences and better protect the UK from the growing threat. Last year, the government also announced the designation of UK data centres as critical national infrastructure, meaning that in the event of a major incident, including a cyber attack, they will receive the same level of government support as utilities such as water and energy. According to the Cyber Security Breaches Survey, the last 12 months have seen an improvement in good cyber hygiene practices among smaller businesses, with the uptake of cybersecurity risk assessments, cyber insurance, formal cybersecurity risk policy and continuity plans all reported as rising. However, it said the number of high-income charities reporting good practices, such as carrying out risk assessments, had fallen. The study said insights from charities suggest this could be linked to budget constraints. The report said a formal cybersecurity strategy was found to be in place at 70% of large businesses, but only 57% of medium-sized firms. Simon Whittaker, head of cybersecurity at IT firm Instil, said the UK needed updated cybersecurity laws to help better protect businesses from the 'relentless' attacks they faced. Whittaker, who is a supporter of the CyberUp campaign, an industry coalition which is calling on the government to update existing cyber laws, said: 'Today's results paint a stark picture of the cyber threats facing UK organisations. 'Time and again, we see that businesses and charities are under relentless attack, but those on the front line of our digital defences are working with one hand tied behind their back by outdated legislation. 'The Computer Misuse Act 1990, drafted in a different era, is no longer fit for purpose. 'It risks criminalising the very professionals we rely on to detect, defend against and prevent these attacks. 'While other countries have moved with the times to empower their cybersecurity sectors, the UK is still relying on legislation written before smartphones, cloud computing or even the modern internet. 'The government has rightly prioritised cybersecurity with the first dedicated cyber Bill and a wider focus on technology adoption and the digital economy. 'However, these efforts risk being undermined by legal constraints on our cyber defenders if our laws do not catch up with the reality of today's threats. 'We urgently need a modern legal framework that protects the public and enables cybersecurity professionals to do their jobs.' Cyber security minister Feryal Clark said: 'These figures show why we've put such a focus on making sure the UK has robust cyber security defences in place. 'Cyber attacks are disrupting our citizens, businesses and economy, and this year's survey puts the risks we face into sharp focus. While we are making progress, there's still more to do, and we all have a role to play. 'That's why in the last 10 days we've set out our plans for cyber security legislation and launched a suite of packages to support businesses in shoring up their defences – working to protect the public and the economic growth which is central to our Plan for Change.'
Yahoo
10-04-2025
- Business
- Yahoo
Four in 10 UK businesses hit by cyber attack or breach in the last year
The number of businesses reporting a cybersecurity breach or attack in the last 12 months has fallen slightly compared with the previous year, according to government figures. The annual Cyber Security Breaches Survey found that 43% of businesses and 30% of charities had experienced a breach or attack in the last year, which for businesses was down from 50% last year. The report said the decrease was down to fewer small businesses reporting attacks, but warned that the prevalence of breaches among medium and large businesses remained high. According to the figures, it was estimated that the average cost of the most disruptive breach for each business in the last 12 months was £1,600 for businesses and £3,240 for charities. Cyber attacks on businesses and infrastructure have become increasingly common, and the Government has unveiled plans to introduce new legislation – the Cyber Security and Resilience Bill – designed to compel firms to beef up their cyber defences and better protect the UK from the growing threat. Last year, the government also announced the designation of UK data centres as critical national infrastructure, meaning that in the event of a major incident, including a cyber attack, they will receive the same level of government support as utilities such as water and energy. According to the Cyber Security Breaches Survey, the last 12 months have seen an improvement in good cyber hygiene practices among smaller businesses, with the uptake of cybersecurity risk assessments, cyber insurance, formal cybersecurity risk policy and continuity plans all reported as rising. However, it said the number of high-income charities reporting good practices, such as carrying out risk assessments, had fallen. The study said insights from charities suggest this could be linked to budget constraints. The report said a formal cybersecurity strategy was found to be in place at 70% of large businesses, but only 57% of medium-sized firms. Simon Whittaker, head of cybersecurity at IT firm Instil, said the UK needed updated cybersecurity laws to help better protect businesses from the 'relentless' attacks they faced. Mr Whittaker, who is a supporter of the CyberUp campaign, an industry coalition which is calling on the government to update existing cyber laws, said: 'Today's results paint a stark picture of the cyber threats facing UK organisations. 'Time and again, we see that businesses and charities are under relentless attack, but those on the front line of our digital defences are working with one hand tied behind their back by outdated legislation. 'The Computer Misuse Act 1990, drafted in a different era, is no longer fit for purpose. 'It risks criminalising the very professionals we rely on to detect, defend against and prevent these attacks. 'While other countries have moved with the times to empower their cybersecurity sectors, the UK is still relying on legislation written before smartphones, cloud computing or even the modern internet. 'The Government has rightly prioritised cybersecurity with the first dedicated cyber Bill and a wider focus on technology adoption and the digital economy. 'However, these efforts risk being undermined by legal constraints on our cyber defenders if our laws do not catch up with the reality of today's threats. 'We urgently need a modern legal framework that protects the public and enables cybersecurity professionals to do their jobs.'
