The recent wave of cyberattacks targeting Marks & Spencer, Co-op, and Harrods has sent shockwaves through the UK retail sector, exposing the real-world impact of persistent cybersecurity myths.
As these high-profile incidents unfold, it’s clear that outdated assumptions leave organisations and their customers dangerously exposed.
In response, Kamran Badhur, our Technical Service Director, has debunked the most common cybersecurity misconceptions and provided expert guidance on how to prevent becoming a victim of a cyberattack.
1. Misconception: “We’re too small to be targeted.”
Reality:
Kamran said, “Attackers don’t care about your size, only our weaknesses. Many attackers use automated tools to scan for weaknesses across thousands of organisations, and small or mid-sized companies are often hit hardest because they lack the sophisticated defences of larger companies.”
How to protect your business:
“Believing you’re too small to be targeted is the most dangerous vulnerability of all,” says Kamran.
- • Make cybersecurity a business-wide priority, not just an IT issue.
- • Invest appropriately in security tools, staff training, and expert guidance – prevention is far less costly than recovery.
- • Require strong passwords and multi-factor authentication on all critical systems.
2. Misconception: “Our data isn’t valuable to hackers.”
Reality:
Kamran said, “All data has value to cybercriminals. The M&S breach exposed customer contact details, ‘masked’ payment card details and purchase histories, information that can be used for identity theft, fraud, or sold on the dark web.
“However, even seemingly minor data, such as delivery records or loyalty points, can be weaponised. Criminals use this information to impersonate customers, launch targeted phishing attacks, or combine it with other stolen data to commit larger frauds.”
How to protect your business:
“No data is worthless. Attackers can piece together small data points to execute large-scale fraud or social engineering attacks,” Kamran explains.
• Catalogue and classify all data according to sensitivity.
• Limit access to sensitive data strictly on a need-to-know basis.
• Encrypt data both at rest and in transit to prevent interception.
• Regularly review and securely delete data that is no longer required.
3. Misconception: “Remote or hybrid working makes us less of a target for cyberattacks.”
Reality:
Kamran explains, “Remote and hybrid working have made it easier for attackers to find weak spots. In the Co-op breach, hackers sent convincing phishing emails to remote employees, tricking them into giving up their login details. With these credentials, attackers accessed Co-op’s systems through remote access tools that weren’t fully secured or updated. Once inside, they used advanced hacking tools and exploited known software flaws to move through the network, steal sensitive data, and maintain their access.”
How to protect your business:
“Remote work is here to stay, but it brings new risks that must be managed,” Kamran emphasises.
• Require VPN and endpoint security for remote access.
• Provide ongoing phishing awareness training focused on remote work.
• Monitor all devices accessing company data.
4. Misconception: “Cyber threats only occur during business hours.”
Reality:
Kamran explains, “Cybercriminals tend to target ‘zombie hours’ – think late nights, weekends and holidays – the hours when monitoring is reduced. Both the M&S and Co-op breaches occurred during these low-vigilance periods, allowing attackers to stay hidden for longer”
How to protect your business:
“Cyber threats never sleep. Your defences must be active 24/7,” says Kamran.
• Implement 24/7 monitoring via internal teams or MDR providers.
• Set automated alerts for suspicious off-hours activity.
• Test incident response plans for attacks at any time.
5. Misconception: “Antivirus software is enough to keep us safe.”
Reality:
Kamran explains, “Antivirus software is no longer sufficient to protect against today’s sophisticated cyber threats. Attackers use advanced methods such as fileless malware, zero-day exploits, and highly targeted phishing campaigns that can easily bypass traditional antivirus solutions.”
How to protect your business:
“Antivirus is just one layer of defence. Modern cyber threats require a multi-layered security approach that includes proactive detection and response capabilities,” explains Kamran.
• Deploy Endpoint Detection and Response (EDR) tools for real-time monitoring and rapid response to suspicious activity, going beyond what traditional antivirus can catch.
• Use multi-factor authentication and strong access controls to add extra barriers against unauthorised access.
• Schedule frequent penetration tests and security audits to identify and fix vulnerabilities before attackers do.
6. Misconception: “Cyber attacks only take a day or two to fix.”
Reality:
Kamran explains, “Recovery from a cyberattack is often a lengthy and complex process. The M&S breach, for example, has resulted in months of operational disruption, financial loss, and damage to customer trust. Restoring systems is only part of the challenge – organisations must also investigate the breach, comply with regulatory requirements, and communicate transparently with stakeholders.”
How to protect your business:
“Many organisations underestimate the complexity and duration of recovery. A well-prepared business continuity and disaster recovery plan is key to minimise downtime and protect your reputation,” advises Kamran.
• Create and regularly test a detailed recovery plan so everyone knows what to do if systems go down.
• Keep secure, up-to-date backups that are stored separately from your main network.
• Make sure you have clear steps for communicating with customers and partners if an incident occurs.
• After an attack, review what happened and update your defences to prevent a repeat.
7. Misconception: “We’ll know immediately if we’re hacked.”
Reality:
Kamran said, “Most cyberattacks aren’t obvious right away. Hackers often remain undetected inside systems for days, weeks, or even months, quietly stealing data or preparing for further attacks. Without continuous monitoring and regular security audits, organisations may not discover breaches until significant damage has occurred.”
How to protect your business:
“Assuming you’ll know immediately if you’re hacked is a dangerous mistake. Early detection requires constant vigilance and the right tools,” warns Kamran.
- Implement 24/7 monitoring solutions that can detect unusual activity in real time.
- Schedule regular security audits and penetration tests to uncover hidden threats.
- Establish clear processes for investigating and responding to alerts quickly.
8. Misconception: “Cybersecurity is IT’s responsibility.”
Reality:
Kamran explains, “Cybersecurity isn’t just the IT team’s job – it’s everyone’s responsibility. Most breaches still happen because employees accidentally click malicious links, use weak passwords, or mishandle sensitive data. Without a strong security culture and clear policies, human error remains the biggest vulnerability.”
How to protect your business:
“Technology alone won’t keep you safe. Building a security-aware culture across the entire organisation is critical,” says Kamran.
• Provide regular, engaging cybersecurity training for all employees.
• Establish clear, company-wide security policies and ensure everyone understands their role.
• Encourage staff to report suspicious activity without fear of blame.
• Integrate security responsibilities into everyday business processes and job roles.
The cyberattacks on M&S, Co-op, and Harrods highlight one clear truth: outdated cybersecurity myths leave businesses dangerously exposed. By understanding the realities and taking proactive, organisation-wide steps, you can protect your business from becoming the next victim.
Don’t wait for a breach to force change -start strengthening your defences today. If you need expert guidance or a security health check, we’d be more than happy to help!