Ross Brewer, VP & Managing Director, EMEA, Graylog discusses how the retail cyberattacks of 2025 prove that without proactive visibility across identity, access and infrastructure, even the strongest brands remain dangerously exposed.

Cyber breaches

In 2025, cyberattacks have grown more targeted and disruptive – impacting not only data, but customer trust and business continuity.

Some of the most recognisable names in retail have become cautionary tales: Marks & Spencer, Co-op and Louis Vuitton have all experienced high-profile breaches this year, showing how vulnerable even the most sophisticated organisations remain.

The M&S breach over Easter – reportedly involving ransomware, payment system disruption and third-party exploitation – caused major operational downtime and financial loss.

Co-op followed, with 6.5 million customer records exposed.

Most recently, Louis Vuitton, still in the early stages of public disclosure – appears to be facing similar fallout: Threats to brand trust and potential data exposure.

These incidents raise a critical question: How can organisations prevent such attacks and reduce the damage when one inevitably slips through the net?

The root of security

The first step to building real resilience against cyberattacks and limiting their fallout, is not just adding more tools.

Without full visibility into an organisation’s digital environment, businesses are flying blind and threats or anomalies often go undetected until it is too late and the damage is already done.

Too often, attackers dwell within a network for days or even weeks without being detected, using compromised credentials or exploiting unmonitored endpoints.

This is why centralised log management and threat detection are so essential.

When telemetry, API traffic and user activity are captured and analysed in real time, early indicators of attack – such as privilege escalations, lateral movement or data exfiltration – can be identified before ransomware is deployed or customer data is compromised.

This level of visibility at scale requires more than just collecting logs, it demands a platform that can aggregate and analyse data in real time, support threat detection and SIEM capabilities across complex environments and flex to the organisation’s infrastructure, whether on-premises, in the cloud or hybrid.

Crucially, the right solution should deliver these capabilities without forcing trade-offs in performance, high licensing costs or control – issues that have long plagued traditional enterprise security tools.

Strengthening resilience: Six steps to get right

To build cyber resilience, organisations must move beyond a compliance-focused mindset.

Instead of simply checking boxes or reacting to audits, they need to adopt a visibility-first security posture – one that prioritises proactive monitoring, real-time insights and rapid response capabilities.

Based on the patterns emerging from the recent M&S, Co-op and Louis Vuitton breaches, there are six core areas that should be at the centre of any prevention strategy.

First, identity and access controls remain a foundational defence. Many breaches begin with stolen credentials via third-party vendors or poorly secured user accounts. Enforcing least-privilege access, requiring multi-factor authentication (MFA) and monitoring abnormal behaviour are critical to reducing risk.

Second, organisations must invest in centralised log management for early detection and faster response. Siloed logging makes correlating events or detecting threats early nearly impossible. A unified approach to log aggregation allows security teams to spot anomalies in real time, piece together attack paths and act decisively before damage escalates.

Third, network segmentation and Zero Trust principles can help limit the blast radius of threat actors if inside. By segmenting systems and enforcing strict identity-based access controls at every layer, organisations can prevent lateral movement and minimise breach impact. Zero Trust – “never trust, always verify” – should be more than just a tagline; rather guide architecture and operations.

Fourth, API and application monitoring is vital, particularly in digital-first retail. APIs are a growing attack vector but often loosely secured and monitored. Detecting anomalous API activity like unexpected data access patterns or unapproved calls can reveal early threats traditional defences might miss. This demands more than firewall rules, but real-time behavioural analysis and deep visibility into traffic.

Fifth, patch and vulnerability management is one of the simplest, yet most neglected cyber hygiene practices. Known vulnerabilities remain common entry points long after fixes are available. Organisations should make the move to automate vulnerability scanning where possible and prioritise remediation based on risk and exploitability – not just patch release dates – to reduce exposure.

Finally, security culture and human resilience must be nurtured continuously. People are critical to defence but can also be the weakest link. Phishing, social engineering and insider threats all rely on exploiting human error.  With this, regular, scenario-based training that is embedded into the culture of the organisation, rather than treated as a once-a-year formality, can help integrate security awareness across the organisation – not just in IT.

These six pillars – identity, visibility, containment, application monitoring, patching and culture – are no longer optional or just “IT issues”, but core components to business continuity. Recent breaches show cybersecurity failures impact customer experience, brand reputation and operational uptime. It’s a board-level concern, not just technical. And as the M&S and Co-op breaches demonstrate, cybersecurity affects continuity, reputation and customer trust and must be treated as such at the board level.

Responding to attacks with speed, clarity and control

Even with the best defences, breaches can happen. What matters most then is how quickly and effectively an organisation responds.

Once again, visibility plays a central role.

Without immediate access to logs and telemetry data, security teams may waste valuable hours manually tracing events, looking for indicators of compromise across disconnected systems and trying to piece together a coherent attack timeline.

This delays containment, remediation and communication.

Organisations that consolidate their telemetry and security data into a single, unified platform are better equipped to accelerate triage and respond under pressure.

Security analysts can quickly contain affected systems, isolate the threat and understand the attack path.

This reduces both the technical impact, such as data loss or operational downtime and the reputational fallout caused by prolonged incidents.

At the same time, businesses must ensure they have a well-defined incident response plan that is regularly updated and tested through realistic simulations and tabletop exercises.

Backups must be immutable, stored off-site, routinely verified for integrity and easily restorable.

Communication protocols should be clearly defined – for internal teams, executive leadership, regulators and the public.

Equally important is the post-incident review process.

Once the dust settles, organisations must conduct a thorough root cause analysis and take steps to harden their systems and processes.

This includes updating access controls, refining detection rules and sharing lessons across teams – or even, where appropriate, across the broader industry.

One of the most underappreciated aspects of cyber resilience is communication.

When breaches occur, silence – or vague public statements – tend to erode trust.

Organisations that are transparent, timely and specific in their messaging tend to retain customer confidence far better than those that delay or deflect.

This is especially important in sectors like retail, where brand loyalty is fragile and highly responsive to perceived security failings.

From crisis to confidence

The recent cyber incidents on M&S, Co-op and Louis Vuitton prove no organisation is exempt from cyber risk and showcase the value of preparedness, visibility and control.

Security should be scalable, cost-effective, and uncompromising.

At Graylog, we reject the notion that security must come with excessive costs or rigid licensing.

Instead, we give teams the freedom to architect their defences according to their needs.

In a world where the next breach is a matter of “when” rather than “if,” organisations must adopt a new model of resilience – one built on early detection, fast investigation and response and continuous learning for all.

It’s not about perfection; it is about always knowing what’s happening across your digital infrastructure, being ready and acting without delay.

This article was originally published in the October edition of Security Journal UK. To read your FREE digital edition, click here.