Amber Strickland
Principal Associate
Article
Published17 March 2025
Cyber data resilience in retail: how to improve risk management processes
20
minute read
With huge growth in e-commerce in recent years and the number and type of digital touchpoints and digital services to consumers growing, the need for robust cybersecurity risk management strategy remains critical in the retail sector.
UK online sales accounted for 27% of total retail sales in 2024[1] and this is projected to increase in 2025, reflecting the continued shift towards digital shopping platforms. In parallel with that, 34% of UK retailers identify cyber and data risks as their biggest threats, with 70% ranking them in their top three risks.[2] Indeed, cyberattacks, fraud and data leaks cost the retail sector £11 billion in 2023.[3]
Digital transformation in retail continues at pace. Modern customers choose to browse, explore a brand and complete purchases both online and offline very fluidly. Harmonised omnichannel presence brings customer satisfaction, brand loyalty and increased sales.
Retailers are also leveraging tech and data for operational purposes: to forecast consumer trends using data analytics; to enhance customer engagement through digital platforms; to automate processes; to collaborate with partners to share data insights; for real-time monitoring of supply chain operations; and for AI powered pricing and marketing strategies.
Technologies include chatbots, e-commerce platforms, smart shelves, mobile applications, voice-assisted shopping, AI assistants and contactless payments. In addition to cyber vulnerability arising from accelerated new tech adoption, brick-and-mortar stores with staff, cashiers and physical point-of-sale (POS) systems present further vulnerability hotspots.
Payments processed via geographically distributed financial networks or via cross-border distributed payment infrastructures throw up yet more modern data security challenges.
While larger retailers take confidence from investment in technology to safeguard operations, security teams remain vigilant in the face of ever-evolving cybersecurity threats. This is the case especially as AI continues to optimise not only threat detection, but also vulnerability detection, which is exploited by cyberattackers increasing the sophistication of attacks. Where there is less resource, where outdated or unpatched software is relied on or only basic security tools are deployed, smaller retailers will be highly vulnerable to cyberattacks.
Most significantly from a cyber resilience perspective, whether a retailer is large or small, with the newest tech solutions or none, it is often simply human error at the root of a cyber incident.
The boxes below highlight the key areas of cyber risk for retailers, with key mitigation areas for improving cyber crisis management processes explored:
Key cyber risks for retailers
Social engineering
Where users are tricked into divulging sensitive information or passwords. Phishing is the most common form, where malicious links or files are opened by customers or staff which look like they are from a reputable source. Social engineering can lead to ransomware and other attacks.
Internet of Things (IoT)
Near Field Communications (NFC) Payment Systems
Non-malicious events
Poor encryption
Ransomware
Software vulnerabilities
Third party vendors
Cyber crisis management - risk mitigation for retailers
Staff training
Human mistakes are a leading factor in cybersecurity breaches. Retailers should ensure workforce training is regular and up to date. It should cover learning about the range of cyber incidents that can arise and include steps to limit human error and technological issues. Employees at all levels of the company should know how to spot a phishing attack or malware. Do your suppliers do the same?
Supply chain due diligence
Contracts
Systems integration audit
Security and GDPR audits
Cyber incident response plan
Business continuity and disaster recovery plan
Strong cyber resilience ensures a retailer's ability to protect from, respond to and recover from a cyber incident or data breach. For legal advice on improving cyber resilience, and/or data or cyber incident response, please contact Amber Strickland or Patrick Arben.
With thanks to Millie Ecob, Solicitor Apprentice, for her contribution to this article.
See other recent articles from us on this topic:
- Guide to alerting the affected when managing data breach notifications
- How to deal with a cyber incident
- Data and Cyber School: Essential guide to Cyber Insurance
A cyber breach can happen at any time and preparation is key. Be sure to download our 24/7 Cyber Incident Response Hotline card and save it to your desktop so you can contact us immediately to help get you back to business.
Footnotes
1 according to the UK Office for National Statistics Internet sales as a percentage of total retail sales (ratio) (%) - Office for National Statistics
2 according to research by Barclays Corporate Banking and Retail Economics, published in Retail Week, July 2024
3 according to Ayden + Centre for Economic Business and Research, April 2024
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.
