M&S chair Archie Norman: Cyber attack was like ‘an out of body experience’

No comments

Appearing before MPs today following a high-profile attack by cyber-criminals, M&S chair Archie Norman discussed retailers’ vulnerability, how the hackers used the media to communicate and the value of mandatory reporting of incidents

Attack comparable to a hostile takeover

“I don’t think there’s anything quite like this – possibly a hostile takeover bid. In the business world we’re used to competing, we’re used to dealing with customers, and products that work or don’t work.

“But it’s very rare to have a criminal actor in another country – or in this country, we’re never quite sure – seeking to stop customers shopping at M&S, essentially trying to destroy your business.

“It’s like an out of body experience. Everybody at M&S experienced it – our ordinary shop colleagues working in ways they hadn’t worked for 30 years, working extra hours just to try and keep the show on the road. Probably the cyber team had no sleep or three hours a night. It was not an overstatement to describe it as traumatic, and it has endured for some weeks.”

M&S didn’t interact directly with the attackers, who frequently communicated through the media

“They never send you a letter signed Scattered Spider. We didn’t even hear from the threat actor for approximately a week after they penetrated our systems. When this is going on, you rely completely upon your security advisors to say what they think is happening…

“We took an early decision that nobody at M&S would deal with a threat actor directly. We felt the right thing was to leave this to the professionals who have experience in the matter.

“But they also communicate through the media. In this case, their chosen avenue of communication was principally the BBC. So they were in contact with them, and the BBC I’m sure handled it completely well. But it was sometimes an unusual experience to be brushing your teeth in the morning when somebody comes on the news with communication from the people who are allegedly attacking our business.”

“We closed down the systems as part of a defence. Once you close them down, bringing them back up in safe form is very difficult”

Hackers see plenty to aim for with retailers

“Businesses like ours have a vulnerability. We have a very wide, what they call, ‘attack surface’. We have 50,000 people – colleagues in stores, contractors, some may be outsourced, some may be in India, who are working on our systems. So the attack surface is enormous and the attacker only has to be lucky once with one of those 50,000.

“The right thing to do is to assume that the perimeter is permeable. Ultimately, can they get in? They probably can, if they try hard enough.”

Systems challenge – and know how to use a clipboard

“We’ve been around since 1884 so we do have legacy systems. We probably wish we didn’t, but all businesses like ours have a hybrid of old and new. That makes it harder to compartmentalise your system. So the question is, if they get in, how easy is it to move laterally? That’s inhibited by the interconnectedness of all our systems. And part of the reason why the attack has been business impairing for us is because we closed down the systems as part of a defence. Once you close them down, bringing them back up in safe form is very difficult.”

Norman drew a comparison between the systems deployed by banks, which typically have “huge redundancy” built in to allow back-up at any moment in the event of an attack.

He said: “They’d probably have three times the collateral capacity they need. As a retailer, you can’t really afford to do that… I’m old enough to remember a time when they didn’t work and when we had clipboards. You need to be ready to go back to that time. You improvise a way through.”

“Once you’ve had one cyber attack, you’re more likely to have another, just because you attract attention and people can see what happened”

M&S is still in rebuild mode

“We all think that if your systems go down, what do you do? You go and change the fuse and turn the lights back on. Doesn’t work like that.

“We’ll still be rebuilding in months to come but the customer will not see anything different from the end of this month. We hope it’s the end of this month, maybe before that.

“We are now up and running online, but we’re not back to where we should be in our big automated centre in Castle Donington. It’s a long, slow process back. Some of the background systems that you don’t see will be worked on in October, November, to bring back or replace.”

Another attack must be presumed likely so secure restart was vital

“Once you’ve had one cyber attack, you’re more likely to have another, just because you attract attention and people can see what happened.

“We want to make ourselves as resilient as possible for the future, and that means the way in which we bring things back has to be highly protected.

“Our early return was completely resilient. We had no remote working. Everybody working on systems had to be within a data centre which was fully protected. You want to come back in a very secure way. That takes longer than if you had multiple outsourced people working on your system from around the world.”

“I’ve already got one or two boards inviting me to come and see them to share our war stories, which I will certainly do”

Regulation won’t stop cyber-attacks but obligatory reporting of them would be useful

“I don’t think you can regulate your way to security in this space. There are things that the government can do, but I don’t think we should see that as a solution.

“It’s apparent that quite a large number of serious cyber-attacks never get reported to the NCSC [National Cyber Security Centre]. In fact, we believe there’s been two major cyber-attacks of large British companies in the last four months, which have gone unreported.

“I don’t know, but that’s what we have been advised. We think that’s a big deficit in our knowledge as to what’s happening. So I don’t think it would be regulatory overkill to say if you have a material attack – and define material for companies of a certain size – you are required, within a time limit, to report those to the NCSC. That would enhance the central intelligence body around this.

“I think [action] has to happen at board level, I don’t think it’s a technical problem. The government’s slightly coy about the way it engages with the enterprise sector, but the government has great convening power. If we’re all invited to talk about cyber security and national resilience we will do, and we’ll want to support. Companies like us that have been through the process can add some value.

“I’ve already got one or two boards inviting me to come and see them to share our war stories, which I will certainly do.

“I think the government can play a bigger role in making sure that’s socialised. We would like to use our experience to the benefit of, obviously, the government but other businesses that may experience similar events.”

Was a ransom paid?

“I think that’s a business decision and it’s a principle decision. The question you have to ask – I think all businesses should ask – is, when they look at the demand, what are they getting for it? Because once your systems are compromised you’re going to have to rebuild anyway…in our case, substantially the damage had been done.”

Norman added: “We’ve said that we are not discussing any of the details of our interaction with the threat actor, but that subject is fully shared with the NCA [National Crime Agency] and the relevant authorities. We don’t think it’s in the public interest to go into that subject, partly because it is a matter of law enforcement.”