In recent weeks, the cyberattack on Marks & Spencer (M&S) has sparked conversations across boardrooms, IT war rooms, and audit departments alike. While many large organizations invest heavily in firewalls and antivirus software, the M&S breach is a powerful reminder that the most vulnerable link in cybersecurity is often human—not hardware. As an internal audit professional, I’ve been reflecting on this incident—not just in terms of what went wrong technically, but what it teaches us about the broader governance and risk management landscape.
What Happened?
Based on media reports, the cyberattack unfolded through social engineering. In plain terms, the attackers posed as legitimate M&S employees and managed to trick the IT help desk into resetting critical system passwords. This gave them unauthorized access to sensitive infrastructure, including VMware ESXi servers—a type of system commonly used to manage virtual machines in enterprise environments. From there, the attackers deployed ransomware, encrypting data and likely demanding payment to restore access. This wasn’t a story of sophisticated malware or exploited software vulnerabilities. It was a case of misplaced trust and procedural failure, where human judgment was the point of entry.
When Prevention Controls Fail
Let’s start with the elephant in the room: nearly every preventive control failed. The attackers bypassed access control protocols, potentially manipulated multifactor authentication, and exploited one of the most overlooked vulnerabilities—the help desk. This highlights a critical truth:No matter how strong your firewalls and systems are, if people can be deceived, systems can be breached. Most cybersecurity investments focus on prevention. But in this case, prevention alone wasn’t enough. And once an attacker gains access, the clock starts ticking. If the organization has weak detection or response capabilities, damage is inevitable.
Where Should We Reinforce Detection?
Detection is the “early warning system” we hope we never need—but always must have. In the M&S case, attackers managed to deploy ransomware before being stopped, which suggests:
-
Lack of behavioral monitoring – Nobody noticed unusual access patterns.
-
Limited privilege access tracking – Admin-level activities weren’t flagged.
-
Delayed alerting – The breach wasn’t immediately escalated.
-
No real-time threat detection or correlation across systems – Silos in IT security monitoring.
Detection systems—like SIEM platforms, behavioral analytics, and log aggregation tools—must be tuned to catch lateral movement, privilege escalation, and odd system activity. Also, incident response teams (internal or outsourced) need to be ready to act immediately, not “first thing Monday.”
Internal Audit’s Role: We’re Not Just Spectators
1. Cybersecurity Governance Review
-
Assess the effectiveness of the cybersecurity governance framework.
-
Evaluate whether Board-level risk reporting accurately reflects the evolving threat landscape.
2. Detection and Monitoring Capability Assessment
-
Review coverage and responsiveness of security monitoring tools.
-
Verify that privilege escalation, lateral movement, and ransomware behaviors are actively monitored and tested.
3. Help Desk and Identity Verification Controls
-
Test help desk processes for user identity authentication.
-
Evaluate staff training and readiness to respond to social engineering attempts.
-
Recommend periodic social engineering simulations or “red team” exercises.
Conclusion
The M&S incident illustrates that even mature organizations are susceptible to targeted, non-technical cyberattacks. As Internal Auditors, we must remain vigilant and forward-thinking, advocating not just for preventive safeguards, but for resilient detection, containment, and response strategies. This case reinforces the importance of embedding cyber risk considerations into enterprise risk management, and ensuring internal audit functions evolve to assess real-world threat scenarios.
Comments
Post a Comment