The true cost of unpreparedness for cyber incidents

The April 2025 M&S cyberattack continues to make headlines and has reinforced the need for organisations to invest in developing cyber incident response and crisis management plans that align with a comprehensive resilience strategy. The attack has reportedly cost the retailer more than £1 billion, affected their reputation with customers, and brought into question their ability to manage business continuity disruptions.

This is just one example of how the absence of robust incident preparedness and response planning can amplify the impact of a cyberattack, turning a manageable security breach into a full-blown crisis with significant financial loss, operational disruption, and reputational damage. It underscores the critical importance of having up-to-date and tested incident response and crisis management plans as a core part of your organisation’s resilience strategy.

Read our blog post 5 benefits of exercising your cyber Incident Response plan.

Cyber incident response is more than just a policy or framework

The M&S incident serves as a reminder that even well-established organisations are vulnerable if their cyber resilience capabilities are untested. It's not enough to just have a policy or framework in place — organisations must prioritise practical preparedness: realistic scenario testing, clearly defined roles and responsibilities, and documented escalation pathways. 

Cyber incident response is much broader than deploying technical fixes; it requires coordinated, cross-functional action under pressure.

Cyber threat is a key component of effective incident response

Beyond the immediate response, the M&S breach highlights the need to embed cyber threat into broader business continuity and resilience planning. Business continuity plans often neglect the complex, cascading impact of a major cyber incident.

Businesses should understand their critical systems and dependencies, define realistic recovery objectives, and ensure leadership is empowered to act decisively.

How PGI does things differently

Our experts understand that effective resilience cannot be built in silos. Recognising that our clients operate in complex environments, we take an all-hazards, scenario-agnostic approach — enabling our clients to prepare for and respond to a full spectrum of risks, whether physical, operational, or cyber.

Achieving true cyber resilience requires more than technical controls; it must be integrated into broader organisational resilience planning. Cyber resilience cannot be effective as a standalone discipline, and we embed it within a broader organisational resilience strategy. This ensures that technical response plans are aligned with wider business continuity objectives, enabling a cohesive response when it matters most, protecting core business functions, stakeholder confidence, and long-term strategic objectives.

Ultimately, this is a board-level issue and executives must ask the difficult questions about the organisation’s readiness. This accountability is increasingly reflected in regulatory trends, as seen in the EU’s NIS2 Directive and the forthcoming UK cyber security and resilience bill, both of which place greater emphasis on executive responsibility, risk management, and proactive resilience measures.

Get in touch with us today to find out more about how we can support you with effective incident preparedness and response planning and implementation.