Dr Patricia Esteve-Gonzalez, an Oxford Martin Fellow at the Global Cyber Security Capacity Centre (GCSCC), and Luna Rohland from the World Economic Forum Centre for Cybersecurity, outline how organisations can take a strategic approach to minimising the impacts of cyber-attacks.

Since the Easter Weekend, Marks & Spencer (M&S), one the United Kingdom’s biggest high street retailers, has been managing the fallout of a cyber-attack on its business operations. This has forced the company to suspend online orders, led to shortages on shelves, increased working demands on staff, and wiped £750m off the share value.

Even three weeks later, there is still no indication of when these disruptions will end and when M&S will be able to return to business as usual. This uncertainty threatens to not only continue to impact profits, but to inflict long-lasting reputational damage and undermine brand confidence.

The ongoing saga highlights the strategic importance of not only protecting key business operations from cyber threats but also minimising the impacts of significant cyber incidents when they do occur. This dual approach is known as cyber resilience, and is the subject of new research between the Global Cyber Security Capacity Centre (GCSCC) and the World Economic Forum Centre for Cybersecurity.

What is cyber resilience?

Cyber resilience is a broad organisational approach to security that goes beyond traditional cybersecurity by acknowledging that no organisation is capable of being 100% secure anymore. It encourages organisations to assume that significant incidents, like the M&S attack, will occur, and to implement measures (both pre-, during and post-incident) that enable them to absorb, recover, and learn from events.

The approach challenges entities to consider the many ways in which they are vulnerable and how they can limit the potential impacts. This might involve ensuring that business-as-usual operations can continue when system outages occur or limiting the harm that could arise from a compromise to the confidentiality of data, such as minimising the impact on reputation.

Leading organisations are moving towards cyber resilience as a strategic priority to limit the impact of cyber incidents in the face of growing challenges. According to the 2025 World Economic Forum’s Global Cybersecurity Outlook Report, 72% of organisations saw an increase in cybersecurity risks to their operations between 2024 and 2025. This trend is exacerbated by AI-enhanced attacks that are more sophisticated and scalable, increased geopolitical tensions, and an unpredictable supply chain risk landscape, in addition to other factors.

In a visual sense, cyber resilient organisations are those that know how to shrink the circle of impact:

How can cyber resilience be achieved?

Achieving cyber resilience is a complex and ongoing process that requires more than just a single action or tool. Resilience cannot be standardised and the specific actions each organisation takes to strengthen its cyber resilience will vary depending on its context.

However, lessons can be drawn from organisations’ front-line experiences and practical learnings. This latest research between GCSCC and the World Economic Forum outlines those practices used by global cyber leaders for improving the cyber resilience of their organisations. The Cyber Resilience Compass aims to share these practices with other organisations and categorises them into seven interrelated areas for establishing and enhancing resilience:

• Leadership: setting goals, making decisions and providing direction in relation to cybersecurity.

• Governance, Risk and Compliance: concerns mechanisms for managing risk and meeting compliance requirements.

• People and Culture: strategies and practices for building and retaining a workforce.

• Business Processes: approaches to prioritising, designing, implementing and adapting functions.

• Technical Systems: approaches to designing, deploying, and maintaining Information Technology, Operation Technology, cloud and cybersecurity tools and controls.

• Crisis Management: components used to respond to and recover from incidents and other crises that affect its resilience.

• Ecosystem Management: an organization’s approach to its wider ecosystem, including its supply chain, customers, competitors, and regulators.

Stakeholders ought to consider these suggested cross-cutting areas to comprehensively adopt a cyber resilience approach within their organisation. Informed by insights collected by leading cyber experts across geographies and industries, each category defines what resilience means in that particular area and lists examples of specific practices organisations have applied to advance their resilience. These practices are further supported by illustrative real-world case studies provided by experts.

Cyber resilience should not be seen as an ideal, but as an organisational imperative. Businesses must assume that they will be the next victim of a significant cyber incident, and leaders should act to prepare for, absorb, respond to, and learn from incidents accordingly.

Ultimately, the aim for the Cyber Resilience Compass is not to only provide static insights but to become a vehicle for the exchange of front-line experiences – a dynamic tool that serves as a reference for cyber leaders to enhance their cyber resilience strategies.

Heeding the lessons from the high street

While we do not yet know all the facts of the recent M&S cyber-attacks, they have provided yet another example of the costs of a business-as-usual approach to cybersecurity. Thankfully, through resources such as the Cyber Resilience Compass, organisations are also equipped with practical examples of how to adapt their approach in a complex and evolving environment.

In today’s digitally-dependent world, cyber resilience should not be seen as an ideal, but as an organisational imperative. Businesses must assume that they will be the next victim of a significant cyber incident, and leaders should act to prepare for, absorb, respond to, and learn from incidents accordingly. If they do not, then it is only a matter of when they will be the next cautionary headline, not if.

This is a republished version of the article; the original article is linked here.