The UK has witnessed some high-profile cyber incidents this year, with Marks & Spencer (M&S) and Jaguar Land Rover (JLR) making headlines for all the wrong reasons. These cases have generated a lot of attention over the last few months but highlight the growing sophistication of cybercriminals and the critical role internal controls play in safeguarding organisations.
What Happened?
Marks & Spencer
In April, M&S fell victim to a ransomware attack linked to the Scattered Spider group. Attackers exploited weaknesses in multi-factor authentication (MFA) and help desk processes, gaining access through social engineering. The fallout was severe:
- Online services disrupted for six weeks.
- £324m in lost sales and a £1bn market value drop.
- Customer data compromised, including names and addresses.
Jaguar Land Rover
In September, JLR faced a large-scale IT shutdown after attackers infiltrated public-facing applications and moved laterally across a poorly segmented network. The impact:
- Global production halted for five weeks.
- Estimated cost: £1.9bn.
- Significant disruption to suppliers and UK car production.
Where Did Internal Controls Fail?
From an internal audit viewpoint, these incidents reveal common weaknesses:
- Identity & Access Management: MFA was implemented but not phishing-resistant.
- Third-Party Risk: Supplier access controls were inadequate.
- Network Segmentation: Flat networks allowed attackers to spread quickly.
- Incident Response: Plans existed but were not tested or timely.
How Good Controls Could Have Helped
- Preventive: Enforce phishing-resistant MFA, apply least privilege access, and conduct regular penetration testing.
- Detective: Deploy advanced monitoring tools (EDR/XDR) and anomaly detection for privileged accounts.
- Corrective: Maintain and test incident response plans and offline backups.
Simple Recommendations for Businesses
- Strengthen Identity Security
Use MFA with hardware tokens and rotate credentials regularly. - Manage Supplier Risk
Require cyber certifications and audit key vendors annually. - Train Employees
Run phishing simulations and awareness programmes. - Adopt Zero Trust
Verify every access request and segment networks. - Audit Cyber Resilience
Internal audit should review cyber risk registers and response readiness. - Backup & Recovery
Apply the 3-2-1 backup rule and test restoration quarterly.
Why This Matters
Cyber incidents are no longer isolated IT issues—they are enterprise-wide risks with financial, operational, and reputational consequences. Internal audit has a vital role in ensuring that cyber risk management is embedded across all lines of defence.
Want to discuss how your organisation can strengthen its cyber resilience?
Contact us at Littlechild & Haley for tailored internal audit and technology risk advisory services.
