Minimum Viable Company (MVC) Thinking in a Maximum Impact Crisis: What the M&S Cyber attack revealed about MVC, and how YEO Messaging could have changed the game.

When ransomware struck Marks & Spencer on the Easter Weekend of 2025, it wasn’t just systems that went dark — it was a complete fracture of operational continuity. Online orders halted. In-store contactless payments froze. Warehouses stalled. For nearly six weeks, a high-street icon was left firefighting without its usual digital tools.

The breach, linked to the Scattered Spider group, was carried out through social engineering tactics targeting a third-party IT provider, ultimately leading to an Active Directory compromise — a perfect storm of credential exploitation and overreliance on interconnected infrastructure.

What followed was a textbook example of what happens when you haven’t defined your Minimum Viable Company (MVC) — identifying ahead of time, the essential people, platforms, and processes needed to survive a cyber crisis. 

What if an MVC mindset had been in place?

An MVC approach requires not just protection, but continuity under fire and the concept is gathering increasing prominence in cyber resilience and infrastructure response frameworks.  It refers to the tools and channels sat independently outside your everyday tech stack, ready to activate when your business is under siege.

This is how YEO Messaging could have transformed the outcome, taking the M&S cyber attack as an example:

1. Averting Penetration – Preventing Phishing-Led Takeover
YEO’s identity-bound messaging with geo-fencing ensures only verified users can send and receive messages. If this had been used for internal communications or IT contractor coordination, it could have stopped social engineering attempts dead, neutralising the M&S credential theft from the outset.

2. Speeding Response – A Secure Command Centre When Everything Else Is Down
When M&S lost access to critical systems including internal comms, escalation chains and executive coordination were slowed. YEO runs out-of-band, separate from Microsoft 365, Active Directory, or VPNs — acting as a hardened Crisis Comms channel that stays live even if your network doesn’t. 

Imagine if YEO had been in place:

• Immediate leadership coordination

• Verified access for CrowdStrike, Microsoft, NCA

• Real-time updates for store managers, PR, and warehouse staff

• No risk of spoofing, leaks, or shadow IT

3. Influencing Containment – Verified Escalation, Not Panic and Patching
With ransomware still active, communication must be trusted, encrypted, and fully separated from infected networks. YEO provides unforgeable escalation and isolated messaging environments, ensuring that the containment effort doesn’t make things worse. 

The Cost of Not Planning for the MVC Moment

M&S is estimated to have taken a £300–£400 million profit hit, with its market cap down over £1 billion. Insurance may cover part of the loss, but reputational damage, wasted stock, and leadership fatigue were harder to quantify.

A Minimum Viable Company plan could have reduced this dramatically — and platforms like YEO should be at its core. 

In Crisis, YEO Is the Infrastructure You Still Control

Too many organisations assume their primary systems will always be there when needed. M&S shows us otherwise.

YEO Messaging isn’t just secure — it’s survivable. It gives you the means to coordinate, contain, and communicate when your digital world falls apart.

For leaders thinking seriously about ransomware resilience, now is the time to define your MVC — and make sure YEO is part of it.