In recent weeks, three major UK institutions — the NHS, Marks & Spencer, and the Ministry of Justice — have fallen victim to high-profile cyber attacks. The fact that these reputable enterprises were hacked might come as a surprise to you, but to me? Not so much.
As someone working in cyber security day in and day out, my view is simple: these incidents are not just big company problems. In fact, if you run or manage an SMB, these attacks should be setting off alarm bells. This is not about fearmongering, but the sad reality is that SMBs are even more exposed than large corporations in many ways.
Let’s unpack what happened, what it means for SMBs, and more importantly, what actions you should take today.
Let’s start with the National Health Service (NHS) attack. This was carried out by Scatter Spider, a well-known and highly capable hacking group. In essence, they exploited a vulnerability in Ivanti Endpoint Manager, a piece of software used to manage mobile devices and endpoints. As a result, they accessed sensitive data — including patient records, phone numbers, and critically, authentication tokens. That would lead one to believe that there is potential for follow-on attacks.
The Marks & Spencer breach was quite similar to the NHS breach, as the attackers targeted mobile entry points – via E-SIMs this time – to exploit vulnerabilities in a third-party supplier. The details haven’t all been made public (M&S is a private company), but the pattern is clear.
The original plan was to only discuss those two, but I can’t help but mention the Legal Aid breach because it’s quite related. So, we’ve also seen Legal Aid (a part of the Ministry of Justice) attacked in a similar way. The main difference is that this attack has been linked to Chinese IP addresses, which is quite concerning.
The key point is this: attackers are no longer going straight for the front door. They’re finding weaknesses in:
And they’re exploiting those gaps to devastating effect. Marks & Spencer is facing a £300 million hit to its operating profit this fiscal year purely from not being able to trade due to the attack.
Read more about it here.
What should SMBs take from this? It doesn’t matter if you’re a global brand or a two-man band, there’s a lesson to be learned for everyone. And that lesson is cyber resilience.
Too many businesses think that having a few good tools in place is enough. It’s not. At the very least, you need:
Attackers look for the weakest link (“vulnerabilities” is not just a buzzword). In these incidents, that vulnerability was third-party software and mobile entry points — key areas that many SMBs neglect.
Many SMBs simply assume their suppliers are secure. But as we saw with the NHS and M&S incidents, that can be a costly mistake.
In 2025, just having MFA switched on is no longer acceptable (but you should still definitely turn it on). Put simply, if attackers know your defences, they’ll find a way around them.
Attackers are already bypassing MFA through:
One of the best quick wins is deploying Managed Detection & Response (MDR). As I mentioned in this article, MDR providers offer continuous threat monitoring, detection, and response, using advanced technologies and expert analysts to identify and neutralise threats before they can cause harm. Think of MDR as your 24/7 expert eyes and ears that spots attacks that basic defences miss.
Beyond MDR, it’s also crucial to:
Here’s what we offer to safeguard SMBs:
If large organisations like the NHS and M&S can be breached, SMBs are even more vulnerable.
But the good news is that building resilience isn’t out of reach. With a proactive mindset, reputable partners, and the right layered approach, you can dramatically reduce your risk.
Don’t wait until you’re the next headline. The time to act is today.