Businesses and organizations in the United Kingdom should be legally required to report any major cyberattack that significantly impacts their operations.
That’s what Archie Norman, Chairman of Marks & Spencer, said to the UK’s Business and Trade Sub-Committee on Economic Security, Arms and Export Controls on Tuesday.
According to Reuters, he told the committee that he had learned that “quite a large number” of serious cyberattacks never get reported to the National Cyber Security Centre (NCSC).
“In fact, we have reason to believe there've been two major cyberattacks on large British companies in the last four months which have gone unreported,” Norman said, adding that this is “a big deficit” in knowledge.
“So I don't think it would be regulatory overkill to say if you have a material attack for companies of a certain size, you are required within a time limit to report those to the NCSC,” he stated.
In addition, Norman shared with the commission that the hackers, a hacking group known as Scattered Spider, used social engineering to break into the company’s systems. The attackers pretended to be a third-party contractor, tricking employees into giving them access to the company’s IT systems and weakening its digital defenses.
The NCSC, the United Kingdom’s cybersecurity agency, called the incident at Marks & Spencer and other retailers “a wake-up call.”
“The disruption caused by the recent incidents impacting the retail sector is naturally a cause for concern to those businesses affected, their customers, and the public. These incidents should act as a wake-up call to all organizations,” Dr. Richard Horne, CEO of the NCSC, said in a press release.
In April, Marks & Spencer came forward to say that it had been dealing with a “cybersecurity incident.”
The incident impacted the company’s contactless payment system and caused its in-store pickup purchases to go offline. Stores remained open, and Marks & Spencer’s website and app continued to operate as normal.
After 46 days, Marks & Spencer resumed online clothing orders. However, at the time of writing, the retailer has yet to restore click-and-collect services.
Last week, Stuart Machin, CEO of Marks & Spencer, told investors that the worst of the fallout from the ransomware attack will most likely be over by August. He previously informed stakeholders that the incident would cost about £300 million.
Your email address will not be published. Required fields are markedmarked