Opinion

Beyond the Breach: The True Cost of a Cyber Attack

By
By
Dan Kitchen

When cyber-attacks make the headlines, the spotlight usually falls on the cause. But, what often gets missed, and arguably does more damage to a business in the long run is what happens after: the disruption.

Marks & Spencer’s severe ransomware attack in April crippled its online sales for nearly seven weeks, with further impact still ongoing today. Hackers believed to be affiliated with the Scattered Spider group, known for using DragonForce ransomware, infiltrated the retail giant through complex social engineering.

The scariest part about this? Their security team actually did a lot of things right. Stores were able to continue trading, which is testament to effective network segmentation that was in place.

The estimated cost - £300 million.

All eyes are usually on the cost of regulatory penalties such as those from the ICO – but not here – this is £300m of lost sales, food that had to be disposed of because systems that calculate correct levels of stock to order were impacted, the cost of projects that had to be deferred or cancelled, and so forth. What’s more, costs like these are not usually covered by cyber insurance policies.

This is the uncomfortable reality of cybercrime in 2025, with as many as 43% experiencing a security breach in the past year. It’s not just a cybersecurity issue, it’s a business continuity crisis.

What downtime really means

When operations grind to a halt, every department feels it. Sales teams can’t convert. Fulfilment stalls. Suppliers go unpaid. Customers lose trust. Internal priorities are flipped upside down, as are growth plans. Projects pause. Recruitment freezes.

In the case of M&S, shelves were left empty. Customer services were overwhelmed. Internal systems, including recruitment platforms, were shut down. This wasn’t just any IT incident – almost everything stopped.

Every day of disruption also damages brand loyalty, which threatens a company’s long-term existence.

In summer 2025, KNP, a haulage company operating over 500 lorries went into administration as a result of a cyber-attack. Customers couldn’t wait for them to restore their systems and took their business elsewhere.

The anatomy of recovery from an attack

Recovering from a major cyberattack is a staged, structured process. Each phase is essential, and businesses that skip steps often find themselves repeating the cycle.

Pull the Plug

Isolating everything is really crucial at this stage. You don’t know what’s happened or how much damage has been inflicted, but by pulling the plug you can prevent further damage.

Communicate

Telling your customers that you’ve been a victim of a cyber-attack might not seem like a great idea, but research shows that companies who communicate openly fare better.

Make sure you communicate internally too.

Tell your insurer

Many cyber insurance providers will not pay out unless you let them know immediately when you’ve suffered an attack. Make sure you contact them straight away.

Implement Business Continuity Plans

The business may be without its IT systems for some time.

Implement your business continuity plan, deploying alternative ways of working on a temporary basis.

Finding the Root Cause

You need to understand how the attacker managed to gain access and execute their attack. Until this is fully understood, you can’t move forward since the attacker can just repeat their attack again.

Knowledge from an expert IT services provider or specialist cyber incident response companies is invaluable here.

This can often be a difficult process – particularly where ransomware is involved – since much of the forensic evidence is destroyed during the attack. Companies who have invested in cybersecurity more heavily and have security logs stored in the cloud have a much better chance of moving quickly through this phase.

Report the Incident

You should report the incident to the police, as well as the Information Commissioner if you have evidence to suggest that data has been stolen. Similarly, if you are in a regulated sector like legal or financial services, you often have an obligation to tell your regulator.

Recovery

This is a long process that may take weeks to months depending on the size of the company and how long the attacker has had access to the environment.

An assessment is typically made to understand the most important systems, users and applications in an attempt to recover those first.

In most cases, it’s hard to know what the attacker might have done or what they might have planted – so an assumption that everything is compromised has to be made.

If backups aren’t available from before the date of first compromise, this often means rebuilding everything – every server, every device, every configuration – which is hugely time consuming.

This process often also involves a hardening of the security posture – sometimes making the investments that should have been made previously.

Repair Relationships & Rebuild Trust

Once the technical recovery is underway, the priority shifts to restoring confidence, both inside and outside the business. This starts with a well-thought-out communications plan. Be transparent with customers, investors, partners and suppliers about what happened, how it’s been resolved, and the measures in place to prevent a repeat. Set expectations clearly and keep updates consistent; silence invites speculation.

Internally, morale often takes a hit after weeks of disruption. Leaders should re-engage teams, acknowledge their resilience, and provide the tools and reassurance they need to move forward. Recovery also relies on people staying coordinated and aligned, something only possible with clear communication and trust across the organisation.

This is also the moment to reinforce employee cyber awareness. Even the most advanced security can be undone by a single compromised credential. Ongoing training, coupled with practical scenario exercises, keeps awareness high and weak links to a minimum.

Handled well, this phase doesn’t just repair relationships—it can strengthen them, turning a crisis into an opportunity to demonstrate accountability and resilience.

The hidden cost: loss of momentum

One of the most damaging consequences of downtime is something that does not appear on the balance sheet: lost momentum.

For businesses with aggressive growth targets, seven weeks offline is not just seven weeks of lost revenue. It is seven weeks of delayed launches, missed marketing windows, eroded customer trust and strategic drift. This type of cybersecurity incident completely flips strategic growth plans, ideas and projects upside down.

Competitors do not wait. Consumer patience is short. And staff who go weeks without access to their usual tools and workflows can become disengaged or demoralised, often leading to higher attrition.

Closing thoughts

The M&S breach should not just be a warning about how attackers operate. It should be a wakeup call about what happens afterwards. Downtime is where the real damage happens. And recovery -if done badly- can cost more than the attack itself.

Cyber resilience is not just about firewalls, multifactor authentication and endpoint detection, like mentioned previously, the M&S security team done everything right. It is about planning how your business continues to function when those systems fail.

That means investing in continuity planning, running realistic scenario exercises, and ensuring that both your infrastructure and your people are ready to respond. Because when the breach happens -and it will - the real test begins the moment everything stops.

Written by
August 14, 2025
Written by
Dan Kitchen
CEO, razorblue
August 14, 2025
Recommended reading:
Opinion

How quantum computing will transform cybersecurity – and how to stay protected

By
Opinion

What the Dead Internet Theory gets right about AI’s data problem

By
Opinion

Wise moves? Governance lessons from a co-founder fallout

By