Marks & Spencer’s latest results offer a stark illustration of the new costs of cyber risk.
The retailer revealed today that a cyber-attack earlier this year has almost wiped out its first-half profits. Statutory profit before tax fell 99%, from £391.9 million last year to just £3.4 million -a collapse largely driven by the fallout from the breach.
The company said the attack directly cost around £136 million in system recovery, legal fees, and professional support, not including the weeks of lost sales after its online platform went dark from Easter into the summer.
For one of Britain’s most digitally transformed retailers, the incident is a sobering reminder that in 2025, even the most established brands can be brought to their knees by a single, sophisticated cyber event.
And it’s exactly this reality that prompted the UK’s National Cyber Security Centre (NCSC) to issue a rather unusual piece of advice in its latest annual review: keep pens and paper handy.
The Digital World’s Analogue Backup
At first glance, the suggestion feels like a throwback to another era. But the NCSC’s message is deadly serious. The agency handled 204 “nationally significant” cyber incidents in the year to August 2025 — more than double the previous year’s figure of 89. Even more concerning, 18 of those attacks were deemed “highly significant,” marking a 50% annual increase for the third year in a row.
“Cyber security is now a matter of business survival and national resilience,” said Dr. Richard Horne, CEO of the NCSC, at the agency’s annual review in October. “Our collective exposure to serious impacts is growing at an alarming pace.”
What the NCSC is urging companies to do is not to abandon technology, but to accept that even the best defences can fail, and to plan accordingly. In other words, have a way to operate when your systems, networks, and communications all go down.
It’s a simple message that many businesses are now realising, painfully, they weren’t prepared for.
When Major Brands Fall Offline
The UK’s corporate landscape has been hit by a string of damaging cyber attacks over the past year. Marks & Spencer’s collapse in half year pre-tax profit is just the latest example. Earlier in 2025, the Co-op faced similar chaos, estimating a £206 million impact from its own cyber incident that disrupted 2,300 outlets and exposed sensitive customer data. Harrods, Pandora, and Adidas also faced significant attacks that temporarily halted operations or compromised information.
Perhaps most striking was the attack on Jaguar Land Rover, which forced production to stop across all its factories in the UK and abroad. The company had no active cyber insurance at the time and has warned that the total cost of the cyber attack to the UK economy is an estimated £1.9bn. Some suppliers have already made redundancies, underscoring how a single cyber attack can cascade through an entire industrial ecosystem.
The problem is not confined to Britain. In Japan, beer giant Asahi was recently forced to process orders by hand after a ransomware attack paralysed its systems. The company resorted to faxes and paper forms to keep shipments moving, an extraordinary image for a global business in the digital age, but a perfect illustration of what “analogue resilience” looks like.
From Cybersecurity to Cyber Continuity
What these incidents highlight is that cybersecurity – the technical defence of systems- is no longer enough on its own. The conversation has shifted toward cyber continuity: the ability to keep operating when defences fail.
Most large organisations have invested heavily in firewalls, monitoring, and endpoint protection. Far fewer have detailed, tested plans for functioning when every connected system is suddenly offline. In that moment, a printed contact list, an offline logistics plan, or a manual payment process can make the difference between disruption and disaster.
This is what the NCSC means when it tells companies to prepare to work with pen and paper. It’s not nostalgia; it’s an acknowledgement that resilience means having a viable analogue fallback.
The question for every boardroom now is not “Are we protected?” but “Can we still operate without digital systems? and for how long?”
Resilience Is the New Defence
The government’s new stance marks a subtle but important shift in thinking. For years, cybersecurity strategy focused on prevention, building stronger perimeters, patching vulnerabilities, and buying more sophisticated tools. As the volume and complexity of attacks rise, the focus is moving from defence to survival.
Cyber resilience is no longer an IT function; it’s a matter of operational continuity and national security.
And for senior executives, it’s a direct financial issue, as M&S has discovered the hard way.
There’s a certain irony that in the most technologically advanced era of business, resilience may depend on something as simple as paper. But the principle behind it is profoundly modern: the businesses that survive are those that can adapt fastest when their technology fails. In a world where a cyber attack can wipe out hundreds of millions in profit overnight, “going analogue” isn’t regression – it’s readiness. The companies that thrive in the next decade will be those that treat resilience not as a checklist, but as a competitive advantage.
Today’s leaders know it’s not a question of if systems will fail, but how ready you’ll be when they do.
vXtream partners with enterprises to develop resilient, secure, and adaptable infrastructures that keep business moving, even when digital systems go down. Let’s make sure your organisation can stay operational when the screens go dark – get in touch today.
And don’t forget to sign up to our newsletter for up to date industry news and insight delivered straight to your mail box.
You may be interested in our previous related article: It’s not just a cyber-attack. It’s an M&S cyber-attack.
Gemini Image © Marks & Spencer Media Library 2025
Comments are closed.