Skip to content
- M&S disclose hackers gained entry via a third-party, amid series of attacks on major UK retailers
London, 22 May 2025 – Following a wave of high-profile cyber-attacks on major UK retailers including M&S, Co-op and Harrods, global cyber security consultancy S-RM and third-party risk management platform Ethixbase360 are urging companies to tighten supply chain security to avoid becoming the next headline.
This week, M&S confirmed that hackers gained access to its systems via a compromised third-party supplier, once again underlining the urgent need for stronger cyber due diligence across retail supply chains.
In response, S-RM and Ethixbase360 are highlighting five key steps organisations should take to strengthen their cyber defences against third-party risk:
1. Identify critical vendors
Begin by understanding the organisation’s third-party exposure and the impact this can have on the business. It is particularly important to identify and inventory third-party suppliers that have access to sensitive data, have access into your internal environment, provide critical software, and could significantly affect business continuity if disrupted.
2. Implement continuous monitoring
Move beyond point-in-time assessments. Use automated tools and threat intelligence to continuously monitor vendor security postures and flag emerging risks.
3. Integrate vendors into continuity plans
Validate business continuity and disaster recovery plans adopted by the suppliers and align your own incident response and business continuity plans with them. Establish redundancies and workarounds to avoid single points of failure. Exercise disruptive scenarios with critical suppliers to improve joint recovery processes, exercise communication plans during critical events, and build muscle memory around critical decision-making.
4. Mandate security controls contractually
Include clear security obligations in supplier contracts. These should cover access controls, encryption standards, breach notification protocols and right-to-audit clauses. Include compliance with the contractual security obligations in the security posture assessment of the critical third-parties.
5. Secure your own perimeter
Strengthen your internal defences to mitigate damage if a third-party is compromised. Prioritise measures around:
- Employee training and social engineering awareness, including implementing additional security verification procedures to prevent impersonation of employees and third-parties with access to the environment
- Heightened security protocols for account reset or credential reminder requests
- Enhanced monitoring of third-party user activity
- Continuous identification and monitoring of the external attack surface, including new internet-facing assets and vulnerable remote access methods
Katherine Kearns, Head of Proactive Cyber Services, EMEA, at S-RM, commented:
“Retailers are in the crosshairs, and their suppliers are now a major point of entry. You can’t outsource risk – if your vendor is vulnerable, so are you. We, together with Ethixbase 360, are helping organisations build meaningful supply chain resilience, combining technical expertise with active monitoring and response capabilities.”
Peter Sweetbaum, CEO of Ethixbase360, added:
“Retailers need a clear view of who they’re connected to and what risk those connections pose. Together with S-RM, we’re offering a practical, end-to-end cyber due diligence solution that empowers organisations to assess, monitor, and respond to threats across their supply chains before damage is done.”
To support this mission, S-RM and Ethixbase360 have launched a new cyber third-party risk management solution, combining automation and human insight to deliver continuous vendor assessments, active response, and remediation capabilities. This forms part of Ethixbase360’s wider suite of third-party risk management tools and reflects both party’s commitment to improving cyber resilience and third-party risk throughout a business’ value chain.
About S-RM
S-RM is a global intelligence and cyber security consultancy with expertise in cyber incident response and proactive cyber security risk management. Headquartered in London, S-RM works across nine international offices and advises companies across all sectors ranging from insurers and blue-chip corporates to large financial institutions, and beyond.
To find out more about S-RM, visit www.s-rminform.com
About Ethixbase360
Ethixbase360 helps organizations achieve value chain transparency through its market-leading third-party risk management platform, assisting companies to identify, manage, mitigate, and report on risk and resilience throughout their entire value chain. With a dedicated focus on anti-corruption, modern slavery, human rights, and sustainability, Ethixbase360’s solutions provide actionable insights to drive a risk-based and configurable approach to third-party risk management at scale.
Learn more at www.ethixbase360.com.
For further information, please contact
Adam Kellett
Rostrum
[email protected]
+44 (0) 7794471637
