Retailers at risk: how cyber threats are shaping the future of commerce

In recent weeks two major UK retailers – Marks and Spencer and Co-op – have fallen victim to high-profile cyber attacks that sent ripples through the entire retail sector. These breaches were a stark reminder that no company, no matter how established or trusted, is immune from cyber threats. 

As digital transformation accelerates across the retail industry, what was once seen as an IT challenge has now become a top-tier business issue. Cybercriminals have become more organised and sophisticated, targeting the very systems retailers rely on to serve customers and drive sales.

Today, retailers are increasingly dependent on e-commerce platforms, mobile apps, omnichannel solutions, and smart in-store technologies to meet the demands of a rapidly changing market. But with every new digital advancement comes a host of new vulnerabilities. 

From ransomware and phishing to supply chain attacks and data breaches, the threats facing retailers are evolving at an alarming pace. In this environment, the question isn’t whether a retailer will face a cyberattack, but when and how prepared they are to defend themselves when it happens.

A rising tide of threats

According to Mario Joannou, group head of digital risk, cyberSec and privacy at payabl., sees a significant shift in the retail threat landscape. “Cyberattacks against retailers have become increasingly common today compared to five or ten years ago. The recent attack on M&S highlights how severe the consequences can be from these types of incidents, from a decline in share price and short-term impacts on profits, to longer-term damage in the form of consumer and shareholder confidence,” he says.

Retailers, particularly those operating complex, digital-first environments, must contend with a wide range of threats. These can range from ransomware and phishing to supply chain breaches and distributed denial-of-service (DDoS) attacks. The impact of such attacks is far-reaching, disrupting operations, shaking customer confidence, and damaging brand equity.

Doriel Abrahams, principal technologist at Forter, highlights the scope and danger of these incidents: “While breaches were significant in the past, today, cybercriminals target retailers of all sizes through more diverse and advanced methods, such as ransomware, phishing, and supply chain attacks.”

The growing danger of ransomware

Ransomware continues to be one of the most destructive and high-profile threats. These attacks typically begin with phishing emails and can result in critical systems being locked down and held for ransom. Anton Yunussov, director and head of cyber security at Forvis Mazars, underscores the gravity of this threat: “Ransomware attacks have surged dramatically in the last few years and are now one of the most costly and destructive threats faced by retailers. These often begin with phishing emails, leading to the encryption of critical systems and demands for payment.”

While ransomware grabs headlines, other threats are no less serious. Credential stuffing, for example, has become a major concern as attackers reuse stolen login information from previous breaches to gain unauthorised access to retail systems. DDoS attacks, which flood systems with traffic to cause outages, are also on the rise—especially during critical shopping periods like Black Friday or Boxing Day.

A complicated digital landscape

Phil Swain, chief information security officer at Extreme Networks, points to the growing complexity of the digital landscape as a contributing factor. “A decade ago, cyber threats were often opportunistic”, he says. “Today, they’ve evolved into more organised efforts that increasingly target the vast digital environments retailers operate, from e-commerce platforms and mobile apps to Point of Sale (PoS) systems and public Wi-Fi.”

Retailers are increasingly turning to AI-driven defences to identify anomalies and detect threats in real time. This evolution is essential, as cybercriminals are now using AI themselves to craft more convincing phishing messages or uncover vulnerabilities faster. Swain explains how technology can work in a retailer’s favour. He notes that AI plays a “vital supporting role” by analysing patterns, detecting anomalies, and automating tasks like vulnerability prioritisation and patch deployment. This includes proactive anomaly detection that enables retailers to address security threats before they escalate, identifying vulnerabilities, detecting malicious activity, and responding to incidents in real-time, “even with lean IT teams”.

Building a cyber-resilient culture

But protecting against cyber threats isn’t only about deploying the latest technology. Culture, strategy, and awareness all play vital roles in building cyber resilience. It starts with understanding the business’s digital ecosystem and identifying every point of potential vulnerability, including third-party suppliers.

Yunussov notes the importance of broad, ongoing evaluation: “Retailers should firstly understand that cybersecurity is not a one-off activity, but an ongoing process. As a first step, they should conduct a comprehensive risk assessment to identify any vulnerabilities across their ecosystems – and crucially, this needs to include any third-party members.”

The human element is perhaps the most overlooked aspect of cybersecurity. Employees are frequently the first line of defence, yet they can also be the weakest link if not adequately trained. Phishing attacks often rely on social engineering to trick staff into clicking malicious links or revealing credentials. According to Yunussov: “Retailers also should not overlook the importance of employee training. Employees are one of the strongest links when it comes to preventing cyber security incidents, and making sure all staff understand how to potentially detect and report an attack is key.”

Long-term damage and hidden costs

The fallout from an attack extends well beyond immediate disruption. Loss of customer trust can cripple a brand’s relationship with its consumer base. Swain observes: “Retail is a loyalty-driven industry – one breach involving payment or personal data can unravel years of brand equity.”

Abrahams echoes this sentiment, adding: “The long-term impact of a cyberattack on a retailer can be severe and far-reaching. These include a significant loss of customer trust and loyalty, lasting damage to brand reputation, potential regulatory penalties such as GDPR fines, and substantial revenue loss due to operational disruptions.”

Reputational damage is just one facet. There are also hidden operational costs that companies often underestimate. From legal fees and regulatory compliance to system upgrades and delayed transformation initiatives, the total expense can be staggering.

Yunussov explains: “Businesses will need to front several direct costs, such as system repairs, data recovery as well as costs to mitigate the disruption of day to day business operations, lost sales and delayed order fulfilment. On top of this, they may need to pay for regulatory compliance and legal services especially if they have to navigate complex laws and manage regulatory investigations and potential lawsuits following an attack.”

Swain reinforces this point, highlighting the productivity toll: “What often gets missed is the productivity loss when teams are pulled into crisis mode. IT departments and executives are forced to shift focus from innovation to incident response.”

The integration of third-party tools, platforms, and suppliers presents yet another layer of complexity. Many retailers rely on a constellation of partners – each of which can introduce risk if not properly secured. Swain notes: “As new technologies are layered into the retail experience, from AI-powered personalisation to IoT-driven inventory and smart store automation, retailers must prioritise strengthening their security posture and maintaining consistent, scalable security across an expanding digital landscape.”

How can retailers better protect themselves?

In response to these challenges, forward-thinking retailers are shifting away from fragmented security solutions and embracing platformisation where security, networking, and automation are consolidated into a single, intelligent framework.

Swain explains that the “most effective path forward lies in platformisation – the consolidation of networking, security, and automation, into a unified, scalable framework”. Rather than managing a patchwork of point solutions, he says that retailers and their IT teams should “embrace platforms” that integrate key capabilities such as Zero Trust Network Access (ZTNA) and AI-powered threat detection.

Cybersecurity insurance is also becoming an important piece of the puzzle. While it cannot prevent an attack, it can mitigate the financial impact. Yunussov advises: “Given the rising frequency and cost of attacks, investing in cybersecurity insurance is becoming essential. It provides retailers with a critical safety net, covering a range of expenses that they may be liable for.”

Looking ahead, the threats are only expected to intensify. “Threats are evolving rapidly, especially those leveraging AI,” Yunussov concludes. “AI integration is growing among retailers, as they seek to improve personalisation, and as a result attackers are finding new ways to gain unauthorised access to systems and disrupt operations.”

Swain meanwhile predicts that complexity itself would be the biggest challenge: “Over the next few years, the biggest cybersecurity challenge for retailers will be managing the growing complexity and interconnectedness of their digital ecosystems while staying ahead of evolving security threats,” he warns.

In addition, as the threat landscape continues to shift, the role of the CEO becomes increasingly vital in shaping an organisation’s cyber readiness. Swain concludes: “Make cybersecurity a boardroom conversation. As a CEO, your ability to innovate, build customer loyalty, and protect shareholder value all depend on the strength of your digital infrastructure, which has security best practices built into its core.”

“Treat cybersecurity as a core business priority – not just an IT issue,” agrees Yunussov. “It should be embedded into a business’ strategic planning at the highest level.”