‘Tech may rule the world, but if cyber criminals strike you’d better know how to use pen and paper’

Marks & Spencer chair Archie Norman laid bare the impact of the cyber attack on the retailer when he appeared before a parliamentary subcommittee this week.

For someone of Norman’s experience – including one of the biggest-ever turnarounds, Asda in the 1990s – to describe the hack as being like an “out of body experience” shows just what a hammer blow it was.

The hearing brought some valuable insights for the retail industry and the country – public institutions, of course, have been and will be targeted just like M&S.

One noticeable thing was the generally constructive tone of the MPs. Retailers are used to disrespect from a political class that often misunderstands the industry and the vital role it plays – last October’s Budget being the most obvious example.

But the parliamentarians seemed genuinely interested to find out what the government and other authorities might do to better help in such situations.

Unfortunately, it sounded as if the answer is pretty limited. But successes like today’s arrests of suspects are encouraging.

However, it was not a counsel of despair. There are useful takeaways from the attacks on M&S and other retailers, such as the Co-op, also represented at the hearing. They tend to be about processes rather than technical.

For instance, Norman, who went out of his way to stress that he was not criticising the agencies involved, observed that communication on the issue could be more effective and better targeted.

He said: “It’s the [National Cyber Security Centre’s] responsibility to make sure that the information is appropriately networked. I would say, as a comment, and I’ve talked to them about this, I think they would agree the level of NCSC interchange tends to be probably a little bit more at [chief information security officer] level, cybersecurity officer level.

“In my view, it would help to have a little bit more of a boardroom presence. When something like this happens, it is the chief executive’s issue and that level of interchange needs to take place.

“The government can play a bigger role in making sure boards are fully aware and educated about what they experience when [a cyber attack] does happen, because it’s punitive.”

“Preparedness and practicality will mark out those who manage to successfully ride out the turbulence”

Apart from the NCSC, a variety of organisations, such as the National Crime Agency, which revealed the arrests this week, were also involved. Even the FBI at one stage. Another area for improvement would be “a single port of call” to deal with such situations and to provide proactive advice. As Norman acknowledged, though, resource is an issue for those public bodies.

An important practical suggestion came from M&S’ general counsel Nick Folland. M&S expects to recoup some of the £300m cost of the attack through its insurance. Pretty normal, you might say. But there’s a difference between being insured and having the right policy.

M&S had renewed its policy a year previously, when it doubled its cover. Folland said: “We realised that we were insuring for the trivial and not for the catastrophic, so we flipped the way that we were insuring. We effectively said we’ll take the first amount of exposure ourselves, and then we’ll we will ensure for the worst-case scenario.”

It was a wise decision – all the more so, with hindsight – and one that other retailers should consider replicating if appropriate.

The attacks on M&S, the Co-op and others won’t be the last. It will happen again, the only question is who to.

Folland also said: “One of the things that we would say to others is make sure you can run your business on pen and paper, because that’s what you need to be able to do whilst all of your systems are down.”

While tech may rule the world – and retail – preparedness and practicality will mark out those who manage to successfully ride out the turbulence.