What the M&S Cyberattack Teaches Us About Third-Party Risk Management

The recent cyberattack on Marks & Spencer (M&S) has underscored the critical importance of robust Third-Party Risk Management (TPRM) in today’s complex business environments. This incident, which disrupted operations and exposed customer data, offers valuable lessons for organisations aiming to fortify their cybersecurity posture.

Incident Overview

In April 2025, M&S experienced a significant cyberattack that compromised customer data and disrupted online services for over three weeks. The breach was traced back to a third-party vendor, highlighting the vulnerabilities that can arise from external partnerships. The attackers, identified as the Scattered Spider group, exploited this access to infiltrate M&S’s systems, leading to substantial financial and reputational damage.

Key Learnings on Third-Party Risk Management

1. Comprehensive Vendor Assessments
   
   

Organisations must conduct thorough due diligence when engaging third-party vendors. This includes evaluating their cybersecurity practices, access controls, and incident response capabilities. Regular audits and assessments can help identify potential weaknesses before they are exploited.

2. Continuous Monitoring
   
   

Implementing continuous monitoring of third-party activities can provide early detection of suspicious behaviour. Tools that offer visibility into vendor networks and data flows are essential for timely threat identification and response.

3. Strengthening Access Controls
   
   

Limiting third-party access to only necessary systems and data minimises potential attack vectors. Employing the principle of least privilege and enforcing multi-factor authentication can further reduce risks associated with external access. Regularly review supplier access and ensure they have procedures in place to inform when employees with access leave their organisation.

4. Employee Training and Awareness
   
   

Understand the training that is delivered by the supplier to their users and the policies in place. Human error remains a significant factor in cybersecurity breaches. Regular training programs can equip employees with the knowledge to recognise and respond to social engineering tactics, such as phishing attempts that target help desks or IT support.

5. Robust Incident Response Plans
   
   

Developing and regularly updating incident response plans ensures that organisations can react swiftly to breaches. These plans should include protocols for communication, system isolation, and recovery procedures to mitigate damage effectively. Set the thresholds with suppliers on the types of incidents they are to report back on.

Implementing Effective TPRM Strategies

To enhance third-party risk management, organisations should consider the following steps:

• Vendor Risk Classification: Categorise vendors based on the sensitivity of the data they handle and the criticality of their services. This essential feature is built into Azanzi by default.
  
  
• Contractual Security Requirements: Include specific cybersecurity obligations in vendor contracts, such as compliance with industry standards, incident reporting contacts and regular security assessments.
  
  
• Integration of TPRM Tools: Leverage specialised platforms that facilitate vendor risk assessments, monitoring, and compliance tracking.
  
  
• Regular Policy Reviews: Continuously update security policies to reflect evolving threats and incorporate lessons learned from incidents like the M&S breach.

The M&S cyberattack serves as a stark reminder of the vulnerabilities that third-party relationships can introduce. By adopting comprehensive TPRM practices and using TPRM management platforms like Azanzi, organisations can better safeguard their systems and data against similar threats. Proactive measures, continuous monitoring, and a culture of security awareness are essential components of a resilient cybersecurity strategy.

Find out how Azanzi TPRM can help mitigate and manage supply chain cyber security.