On the 25th of April, Marks & Spencer, one of the UK’s most trusted retailers, fell victim to a significant cyberattack that threatened to expose customer data and disrupted online services, resulting in a loss of revenue. The breach sent shockwaves through the business world, not just because of the scale, but because it highlighted how even well-established companies with security budgets are vulnerable. For small and mid-sized businesses, the message was clear: if it can happen to M&S, it can happen to anyone.
As cyber threats become more sophisticated and regulatory scrutiny intensifies, protecting your business isn't just about having antivirus software or a firewall but about aligning your cybersecurity practices with compliance requirements and even further. Whether you're handling customer data, processing payments, or managing internal operations, the cost of neglect can be catastrophic, both financially and reputationally.
Understanding the Cybersecurity Landscape
Understanding the cybersecurity landscape is more critical than ever in 2025. Cyber threats are evolving rapidly, and legacy security tools are insufficient. Attackers are adopting new techniques to bypass outdated defences, driving the need for updated compliance regulations, more stringent security standards, and proactive defence strategies.
The types of threats businesses face today include:
- Phishing attacks: Still the most common entry point, now powered by AI-generated emails and deepfake calls.
- Ransomware: Increasingly targeting infrastructure and cloud services. (As seen in the DragonForce ransomware deployed in the M&S attack).
- Insider threats: Malicious or negligent employees can compromise systems, especially in remote or hybrid work environments as teams become distributed.
- Supply chain attacks: Targeting third-party vendors to infiltrate larger systems, a tactic seen in recent breaches involving managed service providers.
Importantly, small and medium-sized businesses (SMBs) are now prime targets. According to the Verizon 2024 Data Breach Investigations Report, 61% of SMBs experienced a cyberattack in the past year. Cybercriminals often view them as low-hanging fruit due to weaker defences, a lack of in-house cybersecurity expertise, and limited compliance infrastructure. They are commonly targeted by ransomware, business email compromise (BEC), and phishing scams, often with devastating financial and reputational consequences.
What is Compliance in Cyber Security?
- GDPR (EU): A comprehensive data protection law that applies to any organisation processing personal data of EU residents, regardless of the organization's location. Key requirements include:
- Lawful Basis for Processing: Organisations must have a valid legal reason to process personal data, such as consent, contract necessity, or legitimate interest.
- Transparency and Communication: Clear and accessible privacy notices must inform individuals about data collection and processing activities.
- Data Minimisation and Purpose Limitation: Collect only data necessary for specified purposes and avoid using it beyond those purposes.
- Data Subject Rights: Facilitate individuals' rights, including access, rectification, erasure, and data portability.
- Security Measures: Implement appropriate technical and organisational measures to protect personal data.
- Breach Notification: Report personal data breaches to supervisory authorities within 72 hours and, in some instances, to affected individuals.
- Data Protection Officer (DPO): Appoint a DPO if processing activities require regular and systematic monitoring of data subjects on a large scale.
- Accountability and Documentation: Maintain records of processing activities and conduct Data Protection Impact Assessments (DPIAs) when necessary.
- DORA: DORA (Digital Resilience Act) aims to strengthen the IT security of financial entities within the EU. Key requirements include:
- ICT Risk Management: Establish and maintain robust frameworks to identify, assess, and mitigate ICT risks.
- Incident Reporting: Report significant ICT-related incidents to competent authorities promptly.
- Digital Operational Resilience Testing: Conduct regular testing, including advanced threat-led penetration tests, to ensure resilience against cyber threats.
- ICT Third-Party Risk Management: Implement oversight mechanisms for third-party ICT service providers, including contractual arrangements and monitoring.
- Information Sharing: Participate in information-sharing arrangements to enhance situational awareness and collective resilience.
- PECR: PECR complements the UK's data protection framework by focusing on electronic communications. Key obligations include:
- Marketing Communications: Obtain prior consent before sending unsolicited marketing messages via email, text, or automated calls.
- Cookies and Similar Technologies: Provide clear information and obtain consent before storing or accessing information on users' devices.
- Traffic and Location Data: Ensure confidentiality and obtain consent before processing traffic or location data.
- Public Directories: Offer individuals the choice to be included in public directories and respect their preferences.
- ISO/IEC 27001: ISO/IEC 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Key components include:
- Information Security Policies: Develop and maintain policies that align with the organisation's objectives and regulatory requirements.
- Risk Assessment and Treatment: Identify information security risks and implement appropriate mitigation controls.
- Leadership and Commitment: Ensure top management demonstrates leadership and commitment to the ISMS.
- Support and Awareness: Provide necessary resources, training, and awareness programs to support the ISMS.
- Operational Planning and Control: Implement processes to meet information security requirements and manage changes effectively.
- Performance Evaluation: Monitor, measure, analyse, and evaluate the ISMS's performance.
- Improvement: Continually improve the ISMS through corrective actions and management reviews.
Understanding and adhering to these regulatory standards is crucial for businesses to protect sensitive data, maintain customer trust, and avoid legal penalties.
Compliance and cybersecurity are not separate concerns but two sides of the same coin. Regulatory frameworks such as GDPR, PECR, and DORA are designed to institutionalise best practices in data handling, system access, and breach response. By aligning your cybersecurity strategy with these regulations, you’re not just avoiding fines. Instead, you’re building systems that are harder to compromise. For example, GDPR’s mandatory breach notification requirements encourage faster incident response, while ISO 27001’s structured risk management procedures ensure vulnerabilities are identified and addressed proactively. In this way, compliance doesn’t just help you meet legal obligations but strengthens your overall cyber resilience, helping prevent attacks like the one that hit M&S from succeeding in your business.
Need Help With IT Compliance?
Understanding your responsibilities is the first step. Taking action is the next.
At Fitzrovia IT, we provide expert guidance tailored to your sector and risk profile. Whether you’re looking to achieve ISO 27001 certification, protect your business from cyberattacks, prepare for DORA compliance, set up security architecture, or improve your GDPR practices, our team is ready to help.
Get in touch today to book a compliance consultation or IT health check.