More information on the cyberattacks against Marks & Spencer (M&S) and Co-op has emerged, revealing that hackers utilized social engineering tactics to deceive IT workers into resetting passwords in order to gain access to the organizations’ systems. 

Ms. Aditi Gupta, Senior Manager, Professional Services Consulting at Black Duck, comments, “Social engineering skills and the use of AI to impersonate employees, is a common tactic utilized by many threat actors that is becoming increasingly familiar. One security strategy to combat this is for organizations to create a threat model for their enterprise. It is important to identify the surface area and exposure of the organization to threat actors. This can apply to applications, the network and most importantly, customer facing employees such as the helpdesk. Securing the perimeter of an organization needs to include a tailored strategy for each entry point.” 

This pattern of successful social engineering attacks is a sign that organizations must fortify against these types of threats. 

In order to protect against these techniques, Mr. Piyush Pandey, CEO at Pathlock, recommends, “This incident shows that organizations must not only authenticate users but also continuously validate their risk posture and behavior throughout their digital journey. In such cases, even if attackers gain unauthorized access to the corporate network through sophisticated social engineering techniques, their malicious activity can be detected and stopped early. Combining behavioral analytics with centralized access governance ensures that only the right people, not just the 'right credentials,' can access critical systems.”