What M&S taught us about being unprepared

First, they came for our M&S ready meals. Then, white-glove luxury retail at Harrods. Now, even the corner-store staples from The Co-op aren’t safe. In 2025, it’s hard to think that some of Britain’s biggest household names could be knocked offline – possibly for months – by a string of cyberattacks.

Like something out of the Stephen King book, Misery, the attack on M&S hobbled the retailer’s digital lifeline over Easter, targeting services like contactless payments and online orders – which comprise more than a third of its business – and killing its recruitment drive.

Stores have struggled to keep shelves stocked, with automated inventory systems down, and food spoiling. At one point, staff, dragged back to the analogue age, were manually checking fridge temperatures because they couldn’t trust what their digital monitors were telling them.

Two weeks later, online orders are still down, management are dumbstruck, and the problem could linger for months.

With insiders telling news outlets last week had been “just pure chaos” at M&S, staff were said to have gone without sleep, working reactively, using their own personal devices as company tools, with internal communications constantly shifting.

Since the breach’s disclosure, M&S’s share price has dropped by 7%, resulting in a loss of around £700 million in market value.

“We didn’t have any business continuity plan [for this], we didn’t have a cyber attack plan,” a company source told Sky News.

M&S is not alone: the Co-op Group, which operates of over 2,500 grocery and convenience stores across the UK, is also currently flailing over a cyber breach that has forced it to stop card payments, while luxury retailer Harrods shut down parts of its IT systems following “attempts to gain unauthorised access”.

If ever there was a case study for being caught napping at the wheel, it seems businesses have found it in these latest fiascos, which exposed just how vulnerable even established, trusted brands are.

With growing claims that retailers have neglected IT security and lack proper business continuity plans (BCPs), experts warn the sector has effectively left the door open to attacks, especially given the vast troves of consumer data it holds. Processing millions of daily card transactions and holding highly sensitive customer data, retailers present numerous potential entry points for cyber threats.

And cyberattacks are only part of the problem.

Too often, companies view digital growth as a race for speed and scale – chasing slicker customer experiences, higher revenues, a competitive edge, and investor approval. But with that pace comes complexity, and without the right foundations, speed quickly becomes a liability.

What suffers is business continuity, which breaks down due to fragmented systems, siloed teams, and poor planning. While the digital economy is so interconnected, a single failure, whether it’s a payments system, inventory database, or internal portal, can ripple through the entire organisation.

Many businesses rely on a patchwork of customer relationship management (CRM) tools, content systems, customer service apps and e-commerce platforms, often with little integration. When something breaks or is attacked, teams are left scrambling, as we’ve seen in the M&S case.

That’s where robust BCPs and digital experience platforms (DXPs) come in.

A DXP couldn’t have stopped the cyberattacks on these retailers, but it could have made the fallout less painful. When systems go down and staff are forced to work reactively, a DXP offers centralised control that helps businesses act fast. From a single dashboard, teams can shut down vulnerable services, push urgent updates across websites and apps, and redirect traffic to backup systems. Instead of chaos and mixed messages, you get a coordinated, confident response. By uniting different platforms, like customer data, content, and e-commerce, under one secure roof, a DXP also reduces weak spots that hackers often exploit.

Beyond crisis response, a DXP helps keep businesses running even when something breaks. With built-in tools like system failovers, role-based access controls, and secure team communication portals, companies can maintain critical functions while IT isolates the threat. Staff won’t be stuck using personal phones or cobbling together workarounds.

In short, while it isn’t a silver bullet, a DXP gives businesses the digital backbone they need to protect customer trust and recover quickly when the worst happens.

A well-prepared BCP outlines who does what when things go wrong.

It includes crisis comms protocols, backup procedures, fallback platforms, and training. But a plan is only as strong as the systems that support it.

That’s why pairing your BCP with a DXP is so effective. A strong DXP complements continuity planning by offering built-in monitoring, automated workflows, and flexible publishing tools that enable teams to act fast, share information, and maintain operations under pressure.

No single platform will prevent a crisis.

Companies must plan not just for growth; they must expect disruption. Because digital confidence isn’t just about what you can do on your best day. It’s about how you respond to your worst.

‍