Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Cyber attacks take longer to fix, and are more of a distraction, than bosses of afflicted companies tend to think at the outset. That’s what fellow chief executives have told Stuart Machin of Marks and Spencer, now four weeks into an attack that will cost it £300mn or around 30 per cent of last year’s operating profit.
What’s bad for hack victims is good for technology providers, because it encourages spending on cyber security. More than four in 10 businesses reported security breaches or attacks in the past 12 months, according to the UK government’s Cyber Security Breaches Survey. While retailers grab the headlines — Harrods and supermarket group the Co-op have also been hit — other industries are even more exposed.
Technology is therefore part of the cost of the clean-up. M&S, for instance, is accelerating its digital and tech plans. The UK retailer had already doubled cyber security spending since 2021. Globally, investment in anti-hacking software is rising by a mid-teens percentage each year, TD Cowen estimates, and will reach $300bn by 2028. That has spurred the rapid growth of security providers such as Palo Alto Networks, whose revenue in the last three months rose 15 per cent.
Hacking evolves, so executives must run to stand still. Malware, or software designed to cause harm, has fallen from 60 per cent of attacks to about 20 per cent over the past five years, according to CrowdStrike. But “vishing” attacks — using phone calls to extract personal data — quintupled in the second half of last year. Generative AI is a threat, because of its ability to adapt rapidly to new defences, and a solution when it is trained to spot and act on the tiniest abnormal patterns.
Spending should go further when bosses and techies agree on the biggest threats. Companies are also building some knowledge of cyber security into their boards. Directors do not have to be experts, but should at least be able to fruitfully discuss the topic with specialists. But there is a big space between knowing what malware and vishing are, and understanding the implications of third party contractors having access to a company’s systems — the vulnerability that exposed M&S.
The pain for the UK retailer is not over yet. It won’t be able to fully resume online sales for weeks — a huge blow given two-thirds of customers shop both online and in-store. And the reputational hit, too, is nothing to sniff at. It is not clear whether M&S was particularly vulnerable, or just unlucky. Cyber attacks generally involve both. But its plight should prompt other company bosses to bulk up their defences.