You would think by now we would have learned. The recent attack on Marks and Spencer, and similar ones across the retail sector, followed a painfully familiar script. An attacker, posing as an employee, phones the helpdesk. A little urgency, a little charm, and before long, they are handed the keys to the castle, or more accurately, the login credentials.

This is not some novel, zero-day exploit. This is old school social engineering. We have seen it in different forms for decades. Kevin Mitnick was doing this in the 90s. The only difference is that now, attackers have an even greater wealth of publicly available data to draw from. With social media, data leaks, and staff directories all out in the open, it is easier than ever to craft a convincing story.

And yet, we still fall for it.

The root of the problem is not technology. It is not a lack of training, either. The problem is that too many businesses treat social engineering as something that can be resolved with a bit of cyber awareness and a few boxes ticked. Unfortunately, posters on the wall and annual training modules do not hold up well when someone is being manipulated in real time.

It is time we stop trying to train humans out of being human. No amount of education is going to eliminate trust, empathy, or the desire to help. That is what social engineers exploit. The only real defence is to design processes that make it much harder for attackers to succeed — processes that do not leave the decision up to someone’s gut instinct.

Take password resets. If your helpdesk is allowed to reset passwords based solely on someone calling in and answering a few security questions, you are inviting trouble. Instead, perhaps implement a callback policy: the helpdesk must hang up and call the person back using the number already on file. Better yet, remove the phone entirely from the equation and require resets to go through a self-service portal.

Still, even those measures can be sidestepped if someone is determined enough. That is why it is about building layers. Combine that callback rule with real-time alerts to line managers when password resets are requested. Introduce mandatory waiting periods for password changes unless approved by a second person. Require approval for changes to contact details like phone numbers and email addresses, ideally via another communication channel. The specific processes will vary from business to business, but the key is to implement what will work best for you.

Another simple but powerful change? Lock down what staff directories and internal contact methods are available externally. The less information attackers have, the harder it is for them to impersonate someone convincingly.

And do not underestimate the value of psychological speed bumps. Processes that slow things down, require a second opinion, or even just introduce awkwardness can often be enough to make a social engineer give up and move on. Friction is usually seen as bad for business, but a bit of friction in the right place can stop an attacker cold.

The lesson from the M&S attack is not that we need more cybersecurity awareness. It is that our business processes still assume the people calling us are who they say they are. That is where the real risk lies. Fixing this does not mean throwing more training at staff, it means putting in place smart, deliberate controls that support them. If you cannot stop an attacker from calling, then at least make sure that call gets them nowhere.