Emma O'ConnorWhy Cyber Hygiene Trumps Advanced Security Stacks

The Spring 2025 attacks on major UK retailers delivered a sobering reality check: sophisticated security tools mean nothing if your fundamental cyber hygiene is lacking. When Scattered Spider successfully infiltrated household names like Co-op, Harrods, and M&S, they didn't use zero-day exploits or nation-state-level techniques. Instead, they exploited the most basic security gaps that exist in nearly every organisation.

At our recent Infosecurity London session, we unpacked these devastating attacks alongside River Island's Chief Security Officer, Sunil Patel, to understand exactly how this cybercriminal group operates, and more importantly, how organisations can defend against them.

The Scattered Spider Phenomenon: Simple Tactics, Devastating Results

Scattered Spider isn't just another ransomware group. Their track record speaks volumes: a $15 million ransom from Caesars Entertainment, 10 days of operational chaos at MGM casinos, and suspected involvement in the massive Snowflake breach. Now, they've set their sights on UK retail.

What makes these attacks particularly alarming isn't their technical sophistication—it's their simplicity and speed. Most Scattered Spider attacks have a dwell time of under two weeks, with some infiltrations taking just days to execute:

MGM: 10 days from initial breach to impact

Caesars: 15 days to successful ransom

M&S: 2 months of undetected access

Coinbase: 4 months (an outlier involving direct team member bribery)

The common thread? In most cases, they simply contacted the service desk and convinced staff to change admin passwords. No advanced persistent threats, no sophisticated malware, just good old-fashioned social engineering targeting the weakest link in the security chain.

Why This "Blunt Approach" Works So Well

The success of Scattered Spider's seemingly unsophisticated tactics reveals fundamental flaws in how many organisations approach cybersecurity. Despite investing millions in advanced security tools, most companies fail at the basics:

Identity and Access Management Gaps: Organisations often lack robust verification processes for password resets and administrative changes, making service desk staff easy targets for manipulation.

Process Vulnerabilities: Even with technology controls in place, procedural breakdowns create exploitable opportunities. If your service desk can be socially engineered into bypassing security protocols, your entire security stack becomes irrelevant.

Visibility Blind Spots: Many organisations don't maintain accurate inventories of their digital assets, creating "unknown unknowns" that attackers can exploit undetected.

The River Island Response: Cyber Hygiene as Defence Strategy

Following the Scattered Spider revelations, forward-thinking organisations like River Island have refocused their security strategies on fundamental cyber hygiene practices. This approach recognises that while advanced threats capture headlines, basic security failures cause the most damage.

Key areas of focus include:

Asset Inventory and Visibility: Maintaining a highly accurate, real-time inventory of all digital assets. This isn't just about compliance—it's about understanding your attack surface and identifying potential entry points before criminals do.

Process Hardening: Implementing a user verification processes that can't be bypassed through clever conversation or emotional manipulation, making it resistant to social engineering.

Cultural Transformation: Building a security-conscious culture where every team member understands their role in maintaining organisational security, without creating paralysing fear or overwhelming staff with complex procedures.

Continuous Monitoring: Shifting breach detection methods to focus on behavioural anomalies and process deviations rather than just technical signatures.

Five Critical Defences Against Scattered Spider

Based on real-world experience defending against these attacks, here are the most effective countermeasures:

1. Implement Tamper-Proof Identity Verification: Deploy verification processes that can't be socially engineered, requiring multiple independent validation steps for any administrative changes.

2. Maintain Comprehensive Asset Visibility: Know every device, application, and access point in your environment. You can't protect what you don't know exists.

3. Harden Service Desk Procedures: Train support staff to recognise social engineering attempts and implement mandatory verification steps that can't be bypassed under pressure.

4. Monitor Behavioural Patterns: Focus detection efforts on unusual administrative activities and access pattern changes rather than just malware signatures.

5. Foster Security Culture: Create an environment where security awareness is embedded in daily operations without creating paralysing fear or process friction.

The Bigger Picture: A Wake-Up Call for All Industries

While retail bears the brunt of current Scattered Spider attacks, no industry should consider itself immune. The techniques used against Co-op, Harrods, and M&S will inevitably spread to other sectors as criminals refine their approaches and seek new revenue sources.

The fundamental lesson isn't sector-specific: organisations that prioritise cyber hygiene will be far better positioned to defend against both current and future threats. This means focusing on the unglamorous but critical work of maintaining accurate inventories, hardening basic processes, and ensuring that human elements of security receive as much attention as technical controls.

Moving Forward: Process Over Tools

The Scattered Spider attacks represent an evolution in ransomware strategy, but not necessarily in technical sophistication. Instead, they highlight how criminal groups are increasingly exploiting the gap between advanced security tools and basic operational security practices.

Organisations serious about defence must recognise that technology alone cannot solve security challenges. The most advanced endpoint detection system in the world becomes useless if an attacker can simply call your help desk and convince them to reset admin credentials.

Success requires treating cybersecurity as an integrated discipline encompassing technology, process, and people, with particular attention to the fundamental hygiene practices that form the foundation of any effective security program. Contact us today to schedule a comprehensive security assessment and discover how proper cyber hygiene can protect your organisation against both current and emerging threats.