Cybersecurity breaches have been making headlines lately, with notable attacks on global giants like MGM Resorts and Marks & Spencer (M&S). These recent incidents have raised an important question: if even these industry leaders can fall victim to cyberattacks, how secure are small businesses?
Let’s explore how these breaches occurred, why businesses of all sizes are at risk, and what you can do to protect your organisation from similar threats.
What Happened?
MGM Resorts
In September 2023, MGM Resorts was hit with a ransomware attack that disrupted operations for several days. Attackers gained access through social engineering tactics, such as vishing (voice phishing), targeting employees to obtain credentials. This led to massive operational disruption, affecting hotel reservations, slot machines, and digital key cards. Additionally, sensitive personal data of over 10 million guests may have been exposed, including names, contact details, and birthdates.
Marks & Spencer (M&S)
In April 2025, Marks & Spencer, one of the UK’s largest retailers, suffered its own ransomware attack. This attack resulted in the suspension of online orders and click-and-collect services. While payment information was not stolen, sensitive personal data, including names, addresses, and order histories, were compromised. The breach has already had an estimated financial impact of £300 million, highlighting the massive cost of a cyberattack to a business.
Why Should You Care?
Cyberattacks are on the rise, and businesses of all sizes are vulnerable. If companies like MGM and M&S, with their massive IT security teams, can fall victim to sophisticated attacks, what does that mean for smaller businesses? A data breach can result in a variety of negative consequences:
- Financial Impact: Cyberattacks can lead to immediate financial loss, fines from regulatory bodies, and long-term costs from reputational damage.
- Reputational Damage: Trust is crucial, and a breach can severely damage your brand’s reputation.
- Legal Consequences: Businesses may face lawsuits from affected individuals and regulatory fines for non-compliance with data protection laws.
Moreover, smaller businesses are often seen as easier targets for hackers. With fewer resources dedicated to cybersecurity, cybercriminals might view SMEs as low-hanging fruit. But here’s the important thing: the misconception that “only big businesses are targeted” is simply not true.
Cyberattacks are automated, and attackers cast a wide net, going after vulnerabilities regardless of business size. Small businesses are often targeted because they have less robust defences. In fact, most cyberattacks today are not specifically targeted, they are automated, and hackers simply exploit weaknesses wherever they can find them. So, whether you’re a small family-run business or a large corporation, you’re still a target.
Key Takeaways for Your Business
- Human Error is a Major Vulnerability: Both MGM and M&S attacks exploited human factors, such as social engineering and weak verification processes. This underscores the need for businesses to invest in employee training and implement more secure procedures.
- Data Protection is Crucial: Even non-financial data like contact details and order histories can be valuable to attackers. Whether it’s a customer’s name or a corporate document, every piece of data is a potential target.
- Operational Resilience Matters: A breach doesn’t only affect the company’s data; it impacts operations. The MGM attack, for example, disrupted guest services and operations across its hotels and casinos. This highlights the importance of having resilient systems and reliable disaster recovery plans in place so you can recover quickly from an attack.
- Legal and Financial Consequences: Data breaches often come with legal implications. Businesses may face regulatory fines for failing to comply with data protection laws like GDPR. Lawsuits from affected individuals can also lead to significant financial losses.
- Insurance is Not a Cure-All: While cyber insurance can cover some of the costs of a breach, it cannot replace the need for strong cybersecurity measures. Insurance is just a safety net, not a strategy for avoiding attacks in the first place.
How to Protect Your Business
1. Implement Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) adds an extra layer of security by requiring a second form of identification (e.g., a text message code, email verification, or fingerprint) alongside your regular password. This makes it significantly harder for attackers to gain access to your systems, even if they’ve stolen a password.
How Carden IT Services Can Help: At Carden IT Services, we can implement and configure MFA across your organisation, ensuring that your employees and systems are protected with the highest level of security. We also offer ongoing support and guidance on MFA best practices, helping you stay ahead of cyber threats.
2. Regular Employee Training
Employees are often the weakest link in the cybersecurity chain. Regular training on how to recognise phishing attempts, create strong passwords, and understand secure practices can significantly reduce the risk of human error. A well-informed team is much less likely to fall victim to social engineering or other types of attacks.
How Carden IT Services Can Help: We provide comprehensive cybersecurity training for your team, tailored to your business’s needs. Our training sessions include real-world examples of phishing, social engineering, and secure practices, ensuring your employees know how to protect your organisation from cyber threats.
3. Conduct Regular Security Audits
Regular security audits are essential for identifying vulnerabilities in your IT systems. These audits can uncover outdated software, unpatched security holes, and other potential risks that could be exploited by cybercriminals. Proactive audits help you address issues before they become critical.
How Carden IT Services Can Help: Carden IT Services offers thorough security audits, tailored to your business’s infrastructure. We assess your networks, devices, and applications for potential weaknesses and provide actionable insights to address them. Our team will help you implement improvements to ensure your systems are secure and compliant.
4. Develop an Incident Response Plan
An effective incident response plan ensures that if a cyberattack occurs, your business can react quickly and effectively. The plan should outline the steps to contain the breach, communicate with stakeholders, and recover operations. Having a structured response can significantly reduce downtime and financial losses.
How Carden IT Services Can Help: We help you develop and implement a robust incident response plan, tailored to your specific business needs. Our team will work with you to ensure that every aspect of your response plan is ready to be executed at a moment’s notice, minimising the impact of a breach.
5. Secure Third-Party Relationships
Third-party vendors and partners can be a weak link in your security chain. Many breaches occur when attackers exploit vulnerabilities in your suppliers’ systems to gain access to your data. It’s essential to vet all third parties for their cybersecurity practices and ensure they follow the same strict protocols you do.
How Carden IT Services Can Help: Carden IT Services can assist you in assessing the cybersecurity practices of your third-party vendors, ensuring that they meet industry standards for security. We’ll help you implement secure processes for managing vendor relationships, so you can trust that everyone in your supply chain is taking cybersecurity seriously.
Free Cybersecurity Assessment with Dave
At Carden IT Services, we understand the importance of cybersecurity for businesses of all sizes. To help you assess your current security posture and ensure your business is protected, we’re offering a free cybersecurity assessment with Dave, one of our expert consultants.
This no-obligation assessment will provide you with a clear understanding of your vulnerabilities and actionable steps to improve your security. Don’t wait for a breach to happen—take proactive steps today to protect your business.
Need Help Protecting Your Business?
The recent hacks on MGM Resorts and Marks & Spencer highlight how vulnerable businesses are to cyber threats, regardless of their size. A single breach can have devastating financial, operational, and reputational consequences. Protecting your business requires vigilance, robust cybersecurity measures, and continuous employee education.
Don’t wait for a breach to happen—assess your cybersecurity posture today. At Carden IT Services, we offer expert solutions to safeguard your business from cyber threats. Contact us today to find out how we can help protect your organisation.
