When Marks & Spencer—Britain’s trusted high-street institution—abruptly halted online operations, customers saw a service disruption. Security leaders saw something else: a blueprint of how vulnerable even the most established businesses can be when attackers weave their way through digital systems unnoticed.
The suspected culprits? Scattered Spider, a group whose name now echoes across boardrooms, threat briefings, and cyber crisis playbooks.
But this breach, as damaging as it was, reveals something deeper: in 2025, it’s not enough to defend your network. You must be ready to disconnect it—intelligently, instantly, and physically.
Social Engineering + Dwell Time = Maximum Impact
Scattered Spider’s tactics are rooted in manipulation. They don’t storm the gates—they walk through with cloned IDs, voice-deepfaked access calls, and deep knowledge of your infrastructure. Their attack on M&S, using the ransomware tool DragonForce, encrypted virtual machines and disrupted everything from click & collect to gift cards and contactless payments.
This wasn’t a data breach. It was a total operational event. It showed that no amount of digital maturity or IT investment guarantees protection when connectivity is assumed, rather than controlled.
From Always-On to Always-Vulnerable
What the M&S event reveals is a simple truth: our greatest business enabler—connectivity—is also our weakest point of failure.
The old playbook taught us to secure the perimeter. The new playbook? Assume it’s already been breached. And rethink what protection really looks like when you’re no longer the one in control.
“Disconnect to Protect” Is No Longer a Theory—It’s a Strategic Mandate
In response to this growing threat landscape, InsightBull is working directly with decision-makers, boards, and critical infrastructure leaders to implement Firebreak™—a physical, non-IP-based control layer that takes the concept of segmentation beyond the virtual, and into the real.
Firebreak™ is not just another cybersecurity tool. It’s a switch—a true disconnect mechanism. Invisible when not in use. Offline by default. Immune to packet sniffing, lateral movement, and remote exploit kits.
As part of our mission at InsightBull, we’re helping organisations assess not just what they’re protecting, but how far they’re willing to go to actually protect it. And the answer, more often than not, is this: the time has come to build systems that can go dark when needed.
Lessons Every CISO and Executive Should Take from the M&S Fallout
Cyber Incidents Are Operational Events, Not Just IT Ones When services stop and customer trust is lost, it doesn’t matter how strong your endpoint protection was. What matters is what you had disconnected. Reputation Is Now Tied to Resilience M&S suffered not just technical downtime—but brand disruption. In an age of digital-first engagement, that trust is hard to win back. Firebreak™ Enables True Digital Containment With InsightBull’s support, organisations can identify critical assets, map real-world segmentation needs, and deploy Firebreak™ as a first and last line of control—cutting off attacker visibility before they even start scanning. Boards Must Embrace Cyber Sovereignty This is no longer the realm of CIOs alone. Investors, regulators, insurers, and customers all now have a stake in whether your business can remain sovereign over its systems in a breach scenario.
Conclusion: Protection Without Disconnection Is a Myth
The M&S breach should not be remembered as a failure of technology. It should be remembered as the moment we realised that being connected all the time is a risk strategy, not a business strategy.
At InsightBull, our work is focused on making sure that the next breach doesn’t burn down your brand.
By helping organisations adopt Firebreak™ and embed physical segmentation into their resilience architecture, we’re ensuring that disconnection becomes a strength—not a sign of surrender.
Because when attackers come looking, what they can’t see… they can’t breach.