Cyber attacks flourish in an era of security fatigue
History has a way of repeating itself, and unfortunately, the recent Marks & Spencer (M&S) cyber hack is no exception. The €800 million knock to its share price since Easter is a stark reminder that some threats are simply too familiar to ignore.
We've seen this play out before in numerous high-profile cyber attacks, including the Health Service Executive hack of 2021, Wannacry in 2017, and the Sony hack of 2014. Even the Bangladesh bank heist of 2016 and the TJX (owner of TK Maxx) hack of the mid-2000s can be compared to the M&S breach.
What sets these attacks apart is that they all share a common thread - social engineering. In other words, a non-technical person was tricked into exposing vulnerabilities in the company's system.
The Expert View: Understanding the Complexity of Cyber Threats
Security expert Kevin Mitnick has a different take on this phenomenon. He argues that simply assuming the problem lies with an individual employee being "tricked" is oversimplifying the issue.
"If you know your weak point is your end user, then you should act to protect them," says Mitnick. "The question we need to be asking is what else needed to happen for this exploit to be possible?"
The Skills Shortage: A Compounding Problem
The skills shortage in IT security has been a persistent issue since pre-pandemic times. Google any of the mentioned cyber hacks, and concerns about the availability of skilled IT security staff will likely be found in most coverage.
This is not just a short-term problem; it's a decades-long issue that's compounding with time. Security fatigue plays a significant role in this, where every time a security expert warns a business of a potential threat, it becomes "noise" and apathy sets in.
The Perfect Storm: Macro Conditions and Business Priorities
Current macro conditions are ideal for emboldening both high-grade professional hackers and state-level actors. Global tensions over tariffs present an opportunity for nefarious actors to strike.
Business leaders are stretched thin with priorities, and the under-resourcing of IT teams globally provides a low-hanging fruit waiting to be picked off.
A Call to Action: Rethinking Security Strategies
While it's grim-looking that M&S will likely be followed by more hacks, there's still hope for reducing the likelihood substantially in the near and long term. The Mitnick mindset needs to be at the core of security.
"Protecting that point of vulnerability should be about doing everything possible so that it never has to worry about being targeted," he emphasizes. This requires IT protocols in place to prevent the weak link from bringing down the entire system inadvertently.
The Long-Term Strategy: Developing IT Talent
The short-term strategy is crucial, but the long-term approach requires a rethinking of how we develop IT talent. We need more pipelines - both through apprenticeships and lifelong upskilling.
"Anything less than that is putting a band-aid on a bullet wound," emphasizes Mitnick. The Marks & Spencer hack was costly and avoidable, but it feels inevitable that another hack will show industry has learned nothing from it if we don't change our approach to security.