As the complexity and frequency of cyber attacks continue to escalate, traditional security methodologies such as point-in-time penetration testing are increasingly insufficient to address modern threats. The recent breaches at major UK retailers Harrods, Marks & Spencer, and Co-op illustrate that even organizations with substantial security investments remain vulnerable to sophisticated attacks. This article examines whether point-in-time security testing has become obsolete, evaluates the critical role of human-centric security ("the human firewall"), and assesses if we are approaching a paradigm shift in cybersecurity—possibly precipitated by a catastrophic "big one" event that would fundamentally alter security culture.

The Limitations of Point-in-Time Penetration Testing

Traditional penetration testing provides a valuable but inherently limited snapshot of an organization's security posture. As cyber threats evolve at unprecedented speeds, the fundamental limitations of this approach have become increasingly apparent:

Static Assessment in a Dynamic Threat Landscape

Point-in-time penetration testing represents a moment-in-time assessment of security vulnerabilities, but the cyber threat landscape is continuously evolving. As organizations build and improve their security postures, they often continue to rely on these periodic assessments despite their limitations. Security vulnerabilities can emerge at any moment between scheduled tests, leaving critical systems exposed for months until the next assessment cycle.

According to Security Scorecard, "Point-in-time IT security risk assessments can find vulnerabilities at a single moment, but they fail to monitor activity between the assessments. These assessments quickly go out of date and depending on the form, can be very subjective." Organizations often engage in "security theatre" before scheduled assessments, temporarily strengthening systems to meet compliance requirements rather than maintaining consistent security postures.

Delayed Response to Emerging Threats

The gap between traditional penetration test schedules creates dangerous windows of vulnerability. SynerComm highlights that "without continuous testing, your security posture can quickly become outdated, leaving your systems exposed to the latest attack vectors." This delay in identifying and addressing vulnerabilities provides ample opportunity for threat actors to exploit weaknesses.

The recent attacks on UK retailers underscore this risk. In April and May 2025, Marks & Spencer, Co-op, and Harrods all suffered significant cyber attacks within a short timeframe. M&S was particularly affected, with its online services disrupted for weeks and customer data compromised. According to Reuters, the company lost approximately £3.5 million in daily revenue and saw around £700 million wiped from its market value.

Incomplete Coverage

Traditional penetration testing typically focuses on specific systems or applications, potentially overlooking vulnerabilities in other parts of the organization's infrastructure. This siloed approach creates blind spots that sophisticated attackers can exploit, particularly in complex, interconnected environments.

The cyber attacks on M&S, Harrods, and Co-op demonstrate the complexity of modern threats. These attacks have been linked to a group called Scattered Spider (also known as Octo Tempest), which reportedly used the DragonForce ransomware on M&S's VMware ESXi hosts to encrypt virtual machines. Their methods included sophisticated social engineering techniques to convince IT help desks to reset passwords, highlighting how attackers exploit both technical vulnerabilities and human factors.

The Rise of Continuous Security Testing

As limitations of traditional penetration testing become more apparent, organizations are shifting toward continuous security approaches:

Continuous Penetration Testing

Continuous penetration testing represents an evolution of traditional methods, involving frequent and iterative testing to identify vulnerabilities as they emerge. According to Evolve Security, this approach "allows security teams to catch vulnerabilities as they arise and effectively seal gaps before they are exploited." By combining automated tools with regular human expertise, continuous testing provides ongoing visibility into an organization's security posture.

Benefits of Continuous Monitoring

A continuous approach offers significant advantages:

1. Real-time threat detection: Continuous monitoring enables organizations to identify and respond to emerging threats immediately, dramatically reducing the window of exposure.

2. Adaptation to evolving threats: Regular testing allows security teams to adjust their strategies based on the latest attack vectors and techniques.

3. Comprehensive coverage: Continuous approaches can cover a broader range of systems and applications, reducing blind spots.

4. Integration with development cycles: Continuous security testing aligns with modern DevOps practices, enabling security to be integrated into the development process.

The MITRE ATT&CK framework has become an invaluable resource for implementing comprehensive security strategies. As described by MITRE, it's "a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations." By mapping attacks using this framework, organizations can better understand threat actors' behaviours and implement appropriate countermeasures.

The Human Firewall: The Critical Element in Modern Cybersecurity

While technological solutions are essential, the human element remains both the greatest vulnerability and potential strength in cybersecurity defences.

The Human Factor in Cybersecurity Breaches

Human error continues to be a primary factor in security breaches. According to current statistics:

• 82% of data breaches have been linked to human-related security weaknesses

• The human element is the common root cause of 68% of data breaches

• 95% of cybersecurity incidents happen because of human mistakes

The M&S and Co-op breaches exemplify how sophisticated attackers target the human element. Scattered Spider reportedly initiated these attacks by impersonating employees and convincing IT help desks to reset passwords. This social engineering tactic bypassed technical controls by exploiting human vulnerabilities.

Building an Effective Human Firewall

Transforming employees from security liabilities into security assets requires comprehensive education and cultural change:

Cybersecurity Awareness Training Evolution

Traditional security awareness programs are evolving into more sophisticated approaches focused on behaviour change rather than just knowledge transfer. IBM notes that "Nearly 95% of human thinking and decision making is controlled by System 1, which is our habitual way of thinking." Effective training must address this by creating security-conscious habits rather than merely providing information.

Modern training approaches include:

1. Personalized, role-specific training: Tailoring content to specific job functions and risk profiles.

2. Simulated attacks: Conducting realistic phishing, vishing, and smishing simulations to build practical skills.

3. Continuous reinforcement: Providing regular, bite-sized training modules rather than annual compliance exercises.

4. Gamification and engagement: Using competition and rewards to motivate ongoing participation.

5. Behavioural analytics: Employing AI to analyse employee behaviour and deliver targeted interventions.

Despite these advances, there are still significant gaps in implementation. As of 2024, 45% of employees report receiving no security training from their employers, and 62% of companies do not conduct sufficient security awareness training to see significant benefits.

From Awareness to Culture

Building a robust security culture goes beyond training to create an environment where security becomes part of everyday decision-making. This requires:

1. Leadership commitment: Visible support from executives and managers for security initiatives.

2. Positive reinforcement: Recognizing and rewarding security-conscious behaviours rather than punishing mistakes.

3. Clear expectations: Establishing and communicating security responsibilities for all roles.

4. Empowerment: Giving employees the tools and authority to report and address security concerns.

5. Continuous improvement: Regularly evaluating and enhancing security culture initiatives.

Organizations that successfully implement these strategies can expect significant benefits. Properly implemented cybersecurity awareness training can lead to a 70% reduction in security-related risks, and users who have undergone phishing awareness training are 30% less likely to click on phishing links.

The Current State: Retail Sector Under Siege

The recent spate of attacks on UK retailers provides a revealing case study of current cybersecurity challenges:

The M&S, Harrods, and Co-op Attacks

In April and May 2025, three major UK retailers experienced significant cyber attacks:

1. Marks & Spencer: The attack began around April 21, with customers reporting issues with contactless payments and click-and-collect services. By April 25, M&S suspended all online orders and removed job listings from its website. Weeks later, the company was still unable to process online sales and acknowledged that customer data had been stolen. The attack has cost M&S millions in lost revenue and wiped approximately £700 million from its market value.

2. Co-op Group: Shortly after the M&S attack, Co-op revealed it had also been targeted. The company shut down parts of its IT system, affecting back-office and call centre functions. It later acknowledged that data from a significant number of current and past members had been stolen, including personal information such as names, contact details, and dates of birth.

3. Harrods: On May 1, the luxury retailer confirmed it had experienced unauthorized access attempts to its systems. While Harrods managed to contain the breach more effectively than M&S, internal files, including employee data, were reportedly accessed.

Attack Vectors and Techniques

These attacks demonstrate the sophistication of modern threat actors:

• Social engineering: The attackers reportedly used sophisticated social engineering techniques, including impersonating employees to convince IT help desks to reset passwords.

• Ransomware deployment: In the case of M&S, attackers reportedly used the DragonForce ransomware to encrypt virtual machines.

• Identity-based attacks: The attackers targeted credentials and access controls rather than attempting to directly breach perimeter defences.

The attacks have been attributed to DragonForce affiliates, with evidence suggesting involvement from the Scattered Spider/Octo Tempest group. This group has demonstrated a pattern of targeting prominent brands in specific sectors to generate media attention before moving on to other targets.

Sectoral Vulnerabilities

These incidents highlight specific vulnerabilities in the retail sector:

1. Underinvestment in security: Retail organizations often prioritize customer experience and operational efficiency over security investments.

2. Complex digital infrastructure: Modern retailers operate complex, interconnected systems spanning physical stores, e-commerce platforms, and supply chains.

3. Valuable data assets: Retailers process and store significant volumes of customer and payment data, making them attractive targets.

4. Skill shortages: According to recent research, 83% of UK organizations are grappling with a shortage of skilled cybersecurity professionals.

Cabinet Office minister Pat McFadden described the wave of attacks on UK businesses as a "wake-up call" for the industry, highlighting the need for organizations to reassess their security strategies.

Are We Approaching "The Big One"?

The concept of "the big one"—a catastrophic cyber event that fundamentally changes security culture and practice—looms large in cybersecurity discussions. Are we approaching such an event?

Signs of Growing Risk

Several factors suggest the potential for a major, paradigm-shifting cyber event:

1. Increasing attack sophistication: Threat actors are employing increasingly advanced techniques, including AI-enhanced attacks and deepfakes. According to Gartner, around 50% of executives believe Generative AI will advance adversarial capabilities such as phishing, malware, and deepfakes.

2. Critical infrastructure targeting: Attacks are increasingly targeting essential services and infrastructure, with the potential for significant real-world impacts.

3. Supply chain vulnerabilities: In 2024, 183,000 customers were affected by supply chain cyber attacks, an increase of 33% from the previous year.

4. Ransomware evolution: Ransomware operators are moving to subscription models, enabling even low-skilled criminals to launch sophisticated attacks.

5. Geopolitical tensions: Rising international conflicts are accompanied by increased state-sponsored cyber activities.

The potential impact of a major cyber event could be catastrophic. The reported costs of cyber attacks are projected to reach $10.5 trillion annually by 2025, according to Cybersecurity Ventures, while another forecast places the cost of cybercrime at $23 trillion by 2027.

Evaluating Readiness

Despite growing awareness of cyber risks, organizational readiness remains concerning:

1. The resilience gap: The divide between resilient organizations and those struggling has become stark, with the number of organizations maintaining minimum viable cyber resilience declining by 30% in 2024.

2. Resource constraints: A lack of resources and skills is the biggest challenge for 52% of organizations in designing cyber resilience.

3. Legacy technology: Transforming legacy technology and processes remains a significant barrier to improved security.

4. Human factors: Despite their critical role, human-centric security measures remain underdeveloped in many organizations.

These factors suggest that while a catastrophic cyber event is increasingly possible, many organizations remain unprepared to prevent or respond effectively to such an event.

The Path Forward: Integrated, Continuous Security

As we consider the future of cybersecurity, several key principles emerge for building more resilient organizations:

Embracing the MITRE ATT&CK Framework

The MITRE ATT&CK framework provides a valuable foundation for modern security strategies. By categorizing and mapping adversary tactics, techniques, and procedures, it enables organizations to develop specific threat models and implement appropriate countermeasures.

For 2025, the MITRE ATT&CK Evaluations are focusing on cloud-based attacks, response and containment strategies, and post-incident analysis, reflecting the evolving threat landscape. Organizations can use this framework to enhance threat intelligence, detection capabilities, and incident response procedures.

Implementing Continuous Security Approaches

Moving beyond point-in-time assessments to continuous security monitoring provides several advantages:

1. Reduced exposure window: Continuous testing dramatically reduces the time between vulnerability creation and detection.

2. Adaptive defence: Organizations can quickly adjust their security posture in response to emerging threats.

3. Comprehensive coverage: Continuous approaches can cover a broader range of systems and attack vectors.

4. Improved resource allocation: Organizations can prioritize remediation efforts based on real-time risk assessments.

Strengthening the Human Firewall

Enhancing human-centric security measures is essential for addressing the root causes of many breaches:

1. Behavioural security: Focus on changing behaviours rather than just increasing awareness.

2. Personalized training: Tailor security education to specific roles, risks, and learning styles.

3. Positive security culture: Build an environment where security is valued and rewarded rather than seen as an obstacle.

4. Leadership engagement: Ensure visible support from executives and managers for security initiatives.

Preparing for "The Big One"

Organizations should take proactive steps to prepare for potentially catastrophic cyber events:

1. Scenario planning: Develop and test response plans for various high-impact cyber scenarios.

2. Resilience investments: Focus on building systems and processes that can withstand and recover from major attacks.

3. Collaborative defence: Participate in industry information sharing and collective defence initiatives.

4. Supply chain security: Implement robust third-party risk management processes.

No Silver Bullet, but a Way Forward

The question of whether we'll ever find a "silver bullet" for cybersecurity has a clear answer: no. The complexity and dynamism of the threat landscape, combined with the inherent vulnerabilities of human-computer interaction, mean that perfect security will remain elusive.

However, by moving beyond point-in-time testing to continuous, integrated security approaches that address both technical and human factors, organizations can significantly improve their ability to prevent, detect, and respond to cyber threats. The MITRE ATT&CK framework provides a valuable foundation for these efforts, enabling organizations to understand and counter adversary tactics and techniques.

As for "the big one"—a catastrophic cyber event that forces a paradigm shift in security practice—the signs suggest that the risk is growing. The increasing sophistication of attacks, the expanding attack surface, and the critical nature of digital systems in modern society all point to the potential for a major cyber event with far-reaching consequences.

The clock may indeed be ticking toward midnight for such an event. However, by implementing the principles outlined in this article, organizations can improve their readiness and resilience, potentially mitigating the impact of even the most severe cyber attacks.

In the end, effective cybersecurity is not about finding a single solution, but about building a comprehensive, adaptive defence that evolves alongside the threat landscape. By embracing continuous security approaches, strengthening the human firewall, and leveraging frameworks like MITRE ATT&CK, organizations can navigate the challenging cybersecurity landscape of 2025 and beyond.