The M&S cyber attack over the Easter weekend caused major service disruption. Card payments failed. Online orders stopped. Internal systems reportedly went down. It’s still unclear what the attackers accessed—but the consequences were immediate and wide-reaching.

If one of the UK’s most recognised retailers can be hit this hard, it raises a fair question: how would your business cope?

Big brands aren’t the only targets

You might assume attackers go after high-value names like M&S for the payoff. But most cyber attacks aren’t personal. They’re automated, broad, and designed to hit as many organisations as possible—especially those with poor defences. That includes SMEs.

What’s more, smaller businesses often sit in larger supply chains. Attackers know this. They’ll go through the smallest door if it gets them into the biggest building. You might not be the end target, but you could still be the weakest link.

The real-world impact for SMEs

When large businesses get attacked, they can throw people and money at the problem. SMEs don’t have that luxury.

If your business lost email access tomorrow, or your payment system went down for 48 hours, what would happen? For many, even short outages mean lost revenue, panicked customers, and long-term trust issues. And if client data is exposed, you’re looking at legal risk too.

These aren’t hypotheticals—they’re regular outcomes for small businesses across the UK hit by the same tactics used in the M&S cyber attack.

Common SME weak spots

You don’t need to be a cybersecurity expert to understand where most small businesses fall down. Systems get built over time, patched together when needed, and security often takes a back seat. That leads to:

These weaknesses don’t just invite attacks—they practically guarantee them.

Practical next steps

You don’t need an enterprise budget to get ahead of this. There are simple steps you can take now. Review who has access to what. Turn on multi-factor authentication. Ask someone you trust to send a fake phishing email to your team and see who clicks. That’s your training priority.

If you’re not confident where your risks are, get someone in who knows what to look for. A short audit of your systems can highlight major issues quickly.

The M&S cyber attack won’t be the last

Attacks like this will keep happening. They’ll hit headlines when it’s a national retailer—but they happen to businesses like yours every day, quietly, and with much less support to recover.

Don’t wait until it happens to you. Get your systems checked. Lock the doors. Make it harder for someone to walk in.

Need help figuring out where to start? That’s where we come in.

You may also like: Online hackers don’t stop for the holidays!