Introduction
On 22 April 2025, Marks & Spencer (M&S), a staple of British retail and a symbol of resilience, announced it had suffered a cyber incident affecting its in-store services. Contactless payments stalled. Click-and-collect services faltered. Some customers faced frustration, while many others wondered quietly: how could this happen to a company like M&S?
Importantly, M&S acted swiftly, communicating that no personal data had been compromised, and that both its website and mobile app remained operational. Nevertheless, the incident forced operational changes inside stores and has triggered broader questions about cyber resilience in modern commerce.
What M&S experienced is not an isolated event — it is part of a broader pattern revealing that even the best-defended organisations, with world-class cybersecurity measures, remain vulnerable.
At the heart of this problem lies a simple truth: continuous connection is continuous exposure.
This event reminds us why a new cybersecurity principle must now take centre stage:
Disconnect to Protect.
The Landscape of Modern Retail Cyber Risk
Retailers have become digital ecosystems. A single M&S store might be running:
Payment systems communicating with banks in real time. Loyalty databases connecting to CRM platforms. Inventory management software linked to warehouses and suppliers. Online ordering systems integrated with click-and-collect networks.
All of these systems interconnect. They must be online. They must be available. They must be real-time. Or so we are taught.
But the sheer interconnectedness of modern operations has expanded attack surfaces exponentially. Where once cybersecurity could be concentrated around a core database or payment processor, today’s protection must defend thousands — if not millions — of digital threads woven into everyday transactions.
Every contactless card reader, every handheld scanner, every Wi-Fi-enabled till is a potential access point.
When attackers scan for vulnerabilities, they no longer need to focus on the corporate headquarters — they can simply probe the network peripheries.
The result?
If you are always connected, you are always vulnerable.
What Happened at M&S?
While M&S has not publicly disclosed the technical cause behind the April 2025 incident, their statements give us clues:
In-store operations were affected. Online services (website, app) remained functional. There was no reported customer or staff data breach. The company implemented “temporary changes” to in-store processes to protect customers and the business.
From this, a logical interpretation emerges:
The incident likely disrupted the internal communications infrastructure between payment systems, online order fulfilment, and perhaps back-end databases that facilitate logistics and transactions.
Was it ransomware?
Was it a targeted attack?
Was it an internal misconfiguration exploited from outside?
We don’t yet know. But we do know this:
The disruption arose because critical systems were always connected.
Had critical segments of the infrastructure been physically isolated, the incident’s impact could have been far more contained — or even non-existent.
Always-On Protection Is Not Enough
The cybersecurity industry invests billions in sophisticated “always-on” solutions:
Next-generation firewalls Endpoint Detection and Response (EDR) Intrusion Prevention Systems (IPS) Real-time monitoring powered by AI
These tools are impressive. They detect. They alert. They respond.
But fundamentally, they are reactive.
They depend on recognising a threat after it has already found a way into your systems.
When you operate under an assumption that you must always be connected and always visible to the outside world, you create a reality where attackers can always probe, always scan, and always attempt.
Put simply: There is no perfect detection.
There is no perfect firewall.
There is no perfect monitoring system.
And therein lies the greatest myth of modern cybersecurity:
Protection cannot only be built through detection.
Prevention must come from removal of opportunity.
And that means rethinking what connectivity actually needs to be.
Introducing Disconnect to Protect
The philosophy of Disconnect to Protect is beautifully simple:
If it is not connected, it cannot be attacked.
It challenges the idea that critical infrastructure must be online, available, and accessible every second of every day.
Instead, it suggests a more strategic, dynamic approach:
Critical systems should default to a physically disconnected state. Connectivity should be initiated only when necessary, for the shortest possible time. Disconnection should not rely on software commands, which can be bypassed, but on physical, hardware-level actions — remote-controlled if needed, but fundamentally, physically isolating assets from the internet or wider network.
In such a design, even if a threat actor has compromised part of a business’s network, critical segments would remain unreachable.
They would not be visible.
They would not even exist to the attacker.
What Would Disconnecting Look Like for Retailers?
Imagine an alternative architecture inside an M&S store:
Payment terminals that only physically connect to payment gateways during a transaction window. Click-and-collect databases isolated from public-facing order placement systems, syncing only through controlled, short-lived sessions. Store security systems segmented away from general internet traffic, remotely disconnected by default unless under active use.
In this world, a malware-laden scanning attempt would find nothing to grab onto.
The network, in a resting state, would be invisible.
Retailers could even apply different tiers of connection:
Critical systems: Default physically disconnected unless required. Non-critical systems: Standard cybersecurity practices, monitored as usual. Customer-facing systems: Operate in controlled DMZs (demilitarised zones) without exposure to internal networks.
Such an approach would drastically reduce the number of exploitable entry points.
It would turn every attacker’s map into a sea of blank spaces.
Lessons from Other Industries
Disconnect to Protect is not a brand-new idea. In some of the world’s highest-risk sectors, it’s already standard:
Military systems: Often operate in “air-gapped” environments where critical computers have no internet access whatsoever. Nuclear facilities: Use physical isolation between operational technology (OT) and information technology (IT) systems to prevent sabotage. Critical national infrastructure: Water treatment, electricity grids, and aviation increasingly deploy physical segmentation in their most sensitive systems.
Retail, finance, healthcare — these sectors must now evolve to apply the same mindset.
If a cyberattack on a retailer can impact millions of customers, interrupt supply chains, and damage shareholder trust, then retail IS critical infrastructure.
And it must be protected with the same seriousness.
Business Arguments for Disconnecting
Beyond security, there are compelling commercial reasons to adopt a Disconnect to Protect approach:
Reduced Incident Costs: The average cost of a cyber incident continues to rise year-on-year. Reducing risk exposure reduces potential financial losses.
Operational Continuity: Isolated segments mean a breach in one area does not cripple the entire organisation.
Regulatory Compliance: Frameworks like GDPR, PCI DSS, and upcoming critical infrastructure regulations increasingly reward segmentation and minimal attack surfaces.
Brand Trust: Consumers are unforgiving when companies lose data or disrupt services. Physical segmentation enhances resilience — and brand reputation. Board
Assurance: Senior executives and boards are being held personally accountable for cybersecurity breaches. Disconnect strategies provide a tangible, defensible action plan.
How Technology Is Enabling Disconnection
A new generation of technology solutions is making true disconnection possible — not by pulling cables manually, but by enabling remote-controlled, physical segmentation.
These solutions:
Operate outside IP (internet protocol) traffic. Cannot be discovered, pinged, or attacked through traditional cyber methods. Allow instant switching between connected and disconnected states, based on operational triggers or security policies. Reduce reliance on human intervention, making dynamic segmentation seamless.
Such technologies provide a bridge: enabling the agility businesses need to function, without abandoning the foundational protection of physical isolation.
Looking Beyond M&S: The Broader Implications
The M&S cyber incident is not about one retailer.
It is a mirror held up to every connected business in the world.
If it can happen to M&S, it can happen to you.
Banks, hospitals, governments, manufacturers — all face the same fundamental weakness:
Permanent connection equals permanent risk.
By 2026, analysts predict that more cyberattacks will target operational disruption — not just theft of data.
Attackers will want to cause chaos:
Stopping payments.
Halting orders.
Breaking supply chains.
Creating reputational collapse.
Against such threats, firewalls and monitoring alone will not suffice.
Only disconnection can deny attackers the pathways they need.
Conclusion: A New Standard for Cyber Resilience
As leaders reflect on the lessons from M&S’s cyber incident, a new cybersecurity strategy must come into focus:
Not just more monitoring. Not just faster detection. Not just bigger budgets.
True resilience comes from redefining connectivity itself.
Only by adopting Disconnect to Protect strategies — physical segmentation, dynamic isolation, and default-off architecture — can companies truly shield their critical systems from inevitable attacks.
This is not just about preventing disruption.
It is about preserving trust, protecting customers, and sustaining operations in a world where digital threats are no longer rare, but constant.
M&S, like many others, will undoubtedly recover.
But the smartest businesses will not just recover.
They will transform.
They will build infrastructures that attackers cannot even see — let alone breach.
Because when you’re disconnected, you’re not vulnerable. You’re invisible