Since the Easter Weekend, Marks & Spencer (M&S), a major UK high street retailer, has been dealing with the repercussions of a cyber-attack. The incident has led to the suspension of online orders, product shortages on shelves, increased demands on staff, and a £750 million reduction in share value.
Even three weeks later, there is no clear indication of when normal operations will resume at M&S. This ongoing disruption threatens profits and risks long-term reputational damage and brand confidence. It underscores the importance of protecting business operations from cyber threats while minimizing impacts when incidents occur—a concept known as cyber resilience. This approach is being explored in new research by the Global Cyber Security Capacity Centre (GCSCC) and the World Economic Forum Centre for Cybersecurity.
Cyber resilience acknowledges that complete security is unattainable and prepares organizations to handle significant incidents like the M&S attack. It involves measures before, during, and after incidents to absorb impacts, recover efficiently, and learn from experiences.
Organizations are increasingly prioritizing cyber resilience to mitigate growing challenges. According to the 2025 World Economic Forum’s Global Cybersecurity Outlook Report, 72% of organizations reported increased cybersecurity risks between 2024 and 2025 due to AI-enhanced attacks, geopolitical tensions, supply chain risks, among other factors.
The GCSCC and World Economic Forum's latest research highlights practices used by global leaders to enhance organizational cyber resilience. Their "Cyber Resilience Compass" categorizes these practices into seven areas: leadership; governance, risk and compliance; people and culture; business processes; technical systems; crisis management; ecosystem management.
These areas define what resilience means within specific contexts and offer examples from real-world case studies. The aim is not only to provide insights but also facilitate experience exchange among cyber leaders.
While details about the recent M&S attacks remain unclear, they exemplify the costs of inadequate cybersecurity strategies. Resources like the Cyber Resilience Compass offer practical guidance for adapting approaches in today's complex digital environment.
In this digitally-dependent era, viewing cyber resilience as an imperative rather than an ideal is crucial for businesses aiming to prepare for potential significant cyber incidents. Failure to adopt such strategies may lead them to become future cautionary tales rather than prevent such outcomes altogether.