First it was Co-op. Then Harrods. Then Marks & Spencer.  

This past month, major UK retailers were taken down by attackers who never walked through the front door.  

The attacks disrupted operations, impacted payments, and exposed just how vulnerable even the most recognizable brands can be.

What they had in common was the same thing we see in every major breach: once inside, the attacker moved freely. Unchecked lateral movement is what turned a single compromised system into a business-wide disruption.

What do these high-profile retail cyberattacks teach us? We don’t have a malware problem. We have a trust problem.  

That’s why I think it’s important that organizations see Zero Trust as a practical journey rather than a concept. Let’s walk through the six doable steps to Zero Trust that could’ve reduced the impact of these attacks.

Step 1: Identify what you need to protect

Don’t start with everything. Start with what’s most important.  

The UK retail attackers didn’t need to compromise the entire network to be devastating — just a few critical systems.

Find an application, a service, or a process your business depends on. Is it tied to compliance? Recently audited? Constantly targeted? Start there.  

This kind of targeted approach gives leadership a direct line of sight to ROI and gives security teams a chance to show success quickly.

Step 2: Start with one pillar and prioritize ruthlessly

Depending on which federal agency, analyst firm, or security expert you talk to, there are between five and seven pillars to a Zero Trust architecture.  

No matter how many there are, trying to address all of them at once is a guaranteed way to go nowhere. So don’t.

Instead, keep coming back to protecting what matters most first. If you’re tackling over-permissioned access, focus on identity. If you’re worried about legacy systems talking to places they shouldn’t, zero in on workloads.

Whatever Zero Trust framework you use, it can help you identify your biggest gaps and where to start. Prioritize your Zero Trust journey ruthlessly so that the most critical systems get locked down first.

Step 3: Be clear on the control you’re trying to build

Zero Trust requires you to get specific with your network and its security needs.

Are you trying to enforce least-privilege network access to a high-value app? Protect communication between dev and prod environments? Limit third-party access to regulated data?

Define the control. This clarity will shape what you need next.

Step 4: Get the right data and make it useful

Now comes the part most organizations overlook: visibility.

You need to know how things are actually communicating — not how you think they are.

Look at traffic patterns. Understand upstream and downstream dependencies. Get context: What’s talking to what, and why? Who owns that workload? What role does it play?

The more context you have, the smarter your policies become. This is where data from systems like CMDBs or asset inventories become valuable, not as documentation but as decision support.

Step 5: Design the policy with humans in mind

With your insights, you can build policies that reflect actual behavior.

But make it testable. Validate your assumptions, expect some gaps, and build policies that show what should happen and surface what shouldn’t.

This is how you move from theory to action with controls that make sense to both security teams and application owners.

Step 6: Validate, implement, and monitor — slowly

Going all out with Zero Trust from the get-go isn’t just impractical. It’s a recipe for disaster.  

Instead, go incrementally.

Start with a test mode. Observe what would be blocked and fine tune. Then, enforce your Zero Trust controls in phases, maybe one workload at a time.

This reduces operational risk, builds trust with your organization and app owners, and gives you room to adapt as your environment evolves.

Once enforced, continue monitoring. Look for policy violations, new dependencies, and behavior that doesn’t match your expected map. That’s your signal to review — not react.

The attacks will keep coming. Be prepared with Zero Trust.

What happened at Co-op, Harrods, and Marks & Spencer is going to keep happening. We’re in a threat landscape where adversaries don’t just steal data. They disrupt operations and put your customers’ trust at risk.

Zero Trust isn’t about stopping every attacker from getting in. That’s not realistic. It’s about making sure that once they do, they can’t go anywhere else.

If you don’t want to be the next headline, now’s the time to start. Zero Trust isn’t hard — if you’re practical.