FFinance

Why Building Cyber Resilience Must Move Up Retail Agenda

  • bytady
  • June 8, 2025
  • 5 minute read
Why Building Cyber Resilience Must Move Up Retail Agenda
0
Shares
0
0
0
0

By Billy Ruston

Retailers are under pressure to strengthen cyber resilience as attacks increasingly disrupt operations. Billy Ruston explores how recent incidents reveal widespread gaps in preparedness. He argues that robust business continuity planning, staff training, and effective crisis communication are essential to minimise operational downtime and protect reputations in today’s threat landscape.

The chaos that recently engulfed several British retailers after they were hit by cyberattacks has underlined the critical importance of well-rehearsed business continuity plans in mitigating operational and reputational impacts when IT systems are compromised or disabled by hackers. 

UK retailers should treat the attacks as a prompt to strengthen resilience. In the aftermath, they need to consider reviewing business continuity arrangements; and ask themselves when they were last practiced, if staff are fully aware of what they need to do within them, and re-assess messaging to staff, customers and the media at times of hacker-induced operational crises. 

Over the last few years, the sustained cost pressures experienced by the industry have prompted significant numbers of the larger retailers to outsource elements of their IT security – a move that transfers, rather than terminates risk – and adopt cloud-based disaster recovery solutions. These systems are designed to maintain business continuity by allowing staff to access critical applications during emergencies.  

However, attackers are increasingly bypassing technical defences through social engineering and manipulating staff into granting access to systems. The threat actors can often remain undetected for extended periods – known as dwell time – enabling them to potentially compromise IT security and disaster recovery solutions, in other words make both ineffective. Once an incident is discovered, organisations then face prolonged periods of operational downtime and crisis management while cybersecurity experts determine the extent of the damage. 

Attackers are increasingly bypassing technical defences through social engineering and manipulating staff into granting access to systems.

Most big retailers will have business continuity plans in place to support their response to cyber-related disruption, but there has been a tendency amongst some to focus too much on head office departments such as purchasing, finance, quality control and other corporate functions, with less emphasis and practical knowledge of store-level operations. Additionally, when crisis management decisions are made during an incident, flagship branches are generally prioritised over local ones, which can result in the latter functioning much less effectively when IT systems go down. 

Another potential problem is delegation. While head office sets out strategic plans for dealing with crises and governs the overarching security strategy, they may not take responsibility for writing and maintaining localised operational business continuity plans. That tends to be the remit of regional managers in charge of shops in their locales. They are expected to work with lower-level store managers and team leaders to ensure that they have resilience plans in place and are capable of implementing them. 

However, those delegated with the task of developing and implementing business continuity workarounds for store environments may not have the requisite expertise nor the time to focus on individual outlets. In the worst-case scenario, head office might mistakenly assume that business continuity is being handled by their regional teams and vice versa, in which case practical resilience preparation doesn’t get done at all.  

To avoid any such situations, senior executives who are ultimately accountable for security and resilience should agree and formalise corporate expectation – that is to say, developing policy documents outlining what all branches need to have in place for cyber resilience in terms of business continuity and incident response plans, frequency of exercises to validate these plans, and how head office and corporate functions might support them.   

Once determined, executives need to establish how expectations will work in practice as not all branches are the same – for instance, flagship stores are going to have different processes to smaller, local ones. They must also ensure that roles and responsibilities defining what will be managed at corporate and regional level in terms of preparedness for a cyber incident are documented and agreed by all concerned, so there is consistency across branches nationwide. 

After all these decisions have been made, a system of governance is needed to certify that everyone in the company is complying with requirements. That should be a head office function, with a team based there monitoring the compliance of stores. Team leaders in branches upwards should have training in business continuity, understand their roles, in particular ensuring subordinates are prepared for working independently of company IT systems. 

Whether at flagship or local branches, operational staff will have to be trained in pen-and-paper processes (as the name suggests, doing everything manually) and other workarounds which will be largely determined by the nature of their business, its demands and interface with suppliers and customers. 

All companies are vulnerable to cyberattacks, no matter how robust their defences, but they can mitigate operational and reputational risks through resilience measures and a significant part of that is good, transparent communication. 

There may be any number of workarounds depending on operational requirements. They might include leveraging Power BI and Power Apps, essentially staff  turning to Microsoft Teams to undertake a lot of the tasks that would ordinarily be done on their IT system; getting suppliers to proactively deliver goods, not wait for orders, especially in non-perishable sectors; prioritising stock levels at flagship stores over local ones; and addressing potential staff concerns and ensuring that emergency shifts worked in a crisis period are properly recorded.  

Just as importantly, time should be invested in putting in place a robust crisis communication plan to keep customers and media informed about levels of disruption and progress in resolving it. All companies are vulnerable to cyberattacks, no matter how robust their defences, but they can mitigate operational and reputational risks through resilience measures and a significant part of that is good, transparent communication. 

Communications teams should prepare media statements that address various disruption scenarios a company might face should their systems be compromised or disabled. Of course, you can’t script for every eventuality, but putting thought into how messaging is framed and what information needs to be disclosed is essential to appearing credible when crises break out. Situational awareness is also key to identifying when a response strategy and associated messaging needs to switch to address any issues that may have emerged during the containment phase of a cyberattack, such as confirming customer data loss. 

At the same time, the narratives developed for the media should be communicated to store staff in the form of talking points so that they know exactly what to tell customers in what will often be challenging times on the shop floor. Branch employees are a critical interface with the public, so they need to be as well informed as journalists about operational impact and recovery timescales, otherwise there is a risk of uninformed comments turning into misinformation, which may then be amplified, particularly online. 

Yet with workarounds and crisis communication strategies, preparation doesn’t end with their formulation. Regular exercises simulating responses to cyber incidents have to be carried out so that staff know their roles and responsibilities. While resilience plans might tick all the boxes, they need to be tested and validated, and become sufficiently familiar to those tasked with their implementation. With growing hacker ingenuity, even the most expensive cyber defences can be breached, but good, well-thought-out preparation for potential disruption can save companies millions of pounds by averting severe operational and reputational consequences. 

About the Author

Billy Ruston

Billy Ruston is a Resilience Consultant at Protection Group International. He is a passionate advocate of resilience and has over a decade of experience supporting government and private sector organisations with their cyber incident preparedness at all levels. Billy is an internationally-recognised exercise facilitator, and is actively engaged in building national resilience capabilities around the world. 

0 Shares:
Share 0
Tweet 0
Pin it 0

Leave a Reply

Your email address will not be published. Required fields are marked *

— Previous article

AB Anywhere: $AB Goes Live on Binance, Ushering in a New Era of Cross-Chain Asset Mobility

Next article —

The Market’s Compass Crypto Sweet Sixteen Study

You May Also Like