When the M&S headline lands on £131m, most leadership teams are reading the wrong story. M&S was not the target of the attack. The people around M&S were. The customers placing orders, the staff resetting passwords, the helpdesk agent on shift at 3am, the finance team paying invoices. M&S got the bill. If your reading of last week's headline stops at "M&S got attacked", the version your board hears next quarter will be the same shape, with your name in it.
The numbers, for the record. Year-end results for the period to 28 March 2026: £131.3m direct cyber cost, £324m in lost sales (up from M&S's initial £300m profit-impact estimate), £100m recovered through insurance, profits before tax down 23.8% to £671.4m. The UK Cyber Monitoring Centre, an arm's-length body set up by the insurance industry to assess UK cyber events, has classified the combined M&S and Co-op attacks as a "Category 2" event on its hurricane scale, with total cost projected between £270m and £440m (Computer Weekly, May 2026). The Cyber Security Breaches Survey 2025/2026, published by DSIT earlier this month, found 43% of UK businesses suffered a breach in the past 12 months, with phishing the dominant vector.
Those are the figures. The misread is in how the figures are being framed.
What "the brand got attacked" hides
The hurricane framing is useful for scale, but it leaves the wrong impression. A hurricane lands on the place it hits. The brand-impersonation playbook does not land on the brand. It lands on everyone the brand has trust with.
The mental model most leadership teams carry sounds like this: "We will be attacked one day. We have a perimeter for that. Email security, MFA, EDR, a SOC, a SIEM." That is the right defence for the wrong threat surface. Perimeter controls defend the inbox, the endpoint, the identity store. They do not defend the customer entering credentials on a typosquatted version of your login page that went live four hours ago. They do not defend the supplier sending an invoice from a domain one character off from your AP team's recognised vendor list. They do not defend the helpdesk agent processing a password reset from someone reading the right name back to them off a cloned employee portal.
In a 2026 brand-impersonation event, the cost lands on the brand, but the harm lands somewhere else. Customers get phished using your branding and your colour palette. Employees get socially engineered through a portal that looks like your IT login. The finance team pays a fake supplier invoice from a domain registered the week before. The helpdesk gets impersonated, and access tokens get handed out to the wrong caller. Four different surfaces, four different teams to defend, four different defensive stacks that do not talk to each other. One brand on all four forged assets. Yours.
The wrong edge
The board question that follows an M&S-shaped headline is usually: "Are our defences strong enough?" It is the wrong question, because the defences in scope are nearly always perimeter defences. The real question is: "On which surface does the attacker actually have to operate to hurt us, and is anything we run today defending that surface?"
The answer for most mid-market UK businesses in 2026 is: no, not really. The surface is the domain layer. The attacker registers a lookalike domain or buys a typosquatted variant of a supplier's. They generate an SSL certificate from a free issuer in minutes. They clone the login page or the invoice template with a generative model in under an hour. They send the email or run the paid ad, and the cost starts accruing on a team the original brand has no contractual visibility into. Your firewall is not in that loop. Your email security is not in that loop. Your MFA stops one half of one of those four attack paths.
If your impersonation-defence strategy assumes the attack hits your perimeter first, you are defending the wrong edge.
Where the defence has to start
The defence has to start where the attacker starts. Not at the inbox, not at the endpoint, not at the helpdesk, but at the moment of impersonation setup, before any of those four surfaces sees the attack.
That means watching the domain layer continuously. New registrations of lookalike and typosquatted domains, flagged as they appear. SSL certificates issued for variants of your brand or your suppliers' brands, surfaced in real time through certificate transparency logs. Cloned versions of your site detected the moment they load, wherever they appear on the web, through embedded markers and content fingerprinting that catch a stolen page even when it has not been crawled by a search engine yet. And when something is confirmed as attacker infrastructure, takedown end to end, automated, with re-detection if it comes back.
Across our four detection layers, the platform runs roughly four million domain scans a month and seventy-five million certificate scans a day. The point of the volume is not the volume. It is that the window between infrastructure going live and infrastructure being used is the only one in which the cost still belongs to the attacker. Outside that window, the cost is yours.
We do take down attacker infrastructure. The argument is not against takedown. The argument is about when the takedown clock starts. Reactive brand-protection vendors start theirs after the phishing email has been sent, after the customer has clicked, after the supplier invoice has been paid. Ours starts before.
What this means for the next board read
The shift worth carrying out of the M&S headline is not "we need better perimeter controls". It is "the brand is part of our attack surface now, and it is not on any of the dashboards we currently brief the board from". Until brand-impersonation defence is named, owned, and reported alongside email security and EDR, the cost of the next event is still pre-priced into the budget, regardless of how mature the perimeter is.
M&S did not get phished. The people around M&S did. The bill came home anyway. The discipline that prices the next event downwards is not faster post-attack response. It is earlier detection of the infrastructure that makes the attack possible at all.
James Bending is co-founder and CRO of DefendDomain, named Cyber Security Start-up Company of the Year at the TEISS Awards 2026 and a finalist in the National Technology Awards 2026 and the Computing Security Excellence Awards 2026.