Retailers should not having a simple time. The June 2025 report from the CBI reveals that retail gross sales fell for the ninth consecutive month and are anticipated to proceed their fast decline all through July.
There was a skinny sliver of sunshine, as on-line retail gross sales volumes grew barely and are predicted to rise once more subsequent month. Nevertheless, these will increase are small by comparability with the drop in general gross sales, primarily as a result of ongoing client warning within the face of cost-of-living will increase.
Client confidence gained’t have been helped by two main retail hacks in 2025. In April, division retailer Marks and Spencer (M&S) was the sufferer of a cyber assault, which had a wide-ranging and damaging fallout. The shop was initially unable to course of contactless funds or click on and gather orders in shops and needed to pause on-line and app orders for weeks after the assault.
On high of the reputational injury related to having to confess to clients the enterprise – and probably their very own delicate knowledge – has been breached, there was a big monetary hit too. M&S estimates the hack will make a £300m dent in earnings, whereas it noticed greater than £1bn wiped off its market worth within the wake of the assault.
Grocery store chain the Co-op additionally hit the headlines in April after it suffered the same cyber assault, which once more noticed buyer knowledge stolen, retailer cabinets left naked and a monetary hit estimated within the a whole bunch of hundreds of thousands.
The assaults highlighted how weak retailers might be to hackers, and the way even the most important names on the excessive road don’t have enough processes in place to reply to and get well from incidents rapidly. This implies pausing buying and selling and taking giant monetary hits.
Disruption prevention
The mixture of the continued downturn in gross sales together with decided hacking teams reveals the necessity for retailers to work more durable to construct resilient techniques. These techniques have to not solely be harder to interrupt into to forestall cyber assaults, but in addition have processes in place that make it simpler to get well from incidents, whether or not a hack, provide chain disruption or downtime related to system migrations.
The retail {industry} is studying in a short time from latest occasions, in response to Claire Wallis, client items and retail director at administration consultancy BearingPoint. Digital resilience is changing into a key precedence, with a rising realisation that guaranteeing all vital techniques – level of sale, fee, e-commerce platforms – have strong backup protection is important.
“These should be examined continuously and up to date given the dimensions of change and data development from the cyber criminals,” Wallis provides.
With the phase-out of third-party cookies and rising possession of first-party knowledge, retailers have gotten prime targets for cyber assaults, because of the excessive quantity of buyer and monetary transaction knowledge they’re now storing.
“Knowledge privateness instruments to guard buyer knowledge are a should with funding in the proper instruments to forestall knowledge loss,” says Wallis. “The affect on buyer confidence is huge if knowledge is accessed as we’ve got seen many succumb to this yr.”
Insurance coverage coverage
Whereas retailers can take a further step of buying specialist insurance coverage towards cyber assaults, this isn’t prevalent. A 2024 survey from NFU Mutual reveals that solely 11% had taken out cyber insurance coverage within the earlier 12 months regardless of 53% of outlets saying that they had fallen sufferer to cyber crime.
Cyber insurance coverage must be thought-about by extra retailers because it provides a vital security web for these organisations which are firmly within the sights of harmful cyber criminals regularly evolving their techniques.
“Insured [retailers] have entry to a crew of cyber safety consultants, legal professionals, forensics and communications specialists who can present skilled counsel to information them via what is usually the worst day of their skilled lives,” says Luke Fardell, cyber safety specialist at insurer Tokio Marine Kiln.
“In an more and more risky cyber risk panorama, there may be rising emphasis on horizon scanning and serving to the insured keep on high of rising threats. In relation to cyber danger, prevention is best than the remedy.”
Due diligence
Provide chains are main weak spots for retailers, and none extra so than the style sector, the place they’re beneath immense stress to remain agile and responsive in a world of unpredictable delays.
Extra manufacturers are prioritising operational resilience in consequence, with many shifting in direction of extra linked, real-time working fashions equivalent to cloud-based enterprise useful resource planning (ERP) and clever planning platforms. The purpose is to unify suppliers, logistics and stock right into a single digital view.
“This strategy breaks down silos and it surfaces early warnings, together with flagging late shipments, materials shortages and demand spikes, so groups can reroute manufacturing or shift sourcing in actual time,” says Helene Behrenfeldt, {industry} options director of vogue at Infor. “We’re additionally seeing course of mining gaining traction, which makes use of system knowledge to map and analyse how work really occurs, serving to to flag points earlier and set off automated responses via AI.”
Shadow IT alongside the provision chain is one other problem retailers face. That is the place IT {hardware}, software program or companies are adopted by third-party suppliers with out approval, that means the suitable danger evaluation and due diligence by no means takes place.
“There are widespread failures in endeavor due diligence in relation to suppliers when onboarding them, in addition to failures to watch and implement safety necessities that suppliers must be putting in,” says Kristina Holt, managing affiliate at legislation agency Foot Anstey.
“Conducting due diligence on suppliers that can course of private knowledge on companies’ behalf is an oft-overlooked obligation beneath the UK GDPR, and one which we anticipate will get focus now that the complexity, and subsequently danger, related to provide chains is bigger.”
Constructing resilience into provide chains can really feel like an awesome challenge because of the complexity of managing not solely their very own danger, however that of each accomplice and provider. A smart option to strategy this mammoth job is by beginning with a concentrate on key techniques which are integral to operations, defending these first after which shifting on to different techniques, Holt advises.
An important step to produce chain resilience and future-proofing operations is sweet governance. This entails guaranteeing all know-how and companies used are topic to approvals, and due diligence being a core aspect of any implementations.
Conducting due diligence on suppliers that can course of private knowledge on companies’ behalf is an oft-overlooked obligation beneath the UK GDPR Kristina Holt, Foot Anstey
“Following this, applicable necessities must be positioned on suppliers in contracts,” says Holt. “These necessities must be topic to ongoing due diligence to make sure that they’re being applied successfully. This can contain sturdy ranges of coordination internally between procurement, authorized, technical and operational groups, and externally with suppliers.”
Establishing a coordinated response crew to cope with arising points and guarantee enterprise continuity is one other should, and this crew ought to at all times embody authorized, IT and comms.
“Persons are additionally essential in safeguarding towards and recognizing assaults,” Holt says. “It’s of vital significance to interact and educate staff not solely to forestall assaults from occurring however to additionally enable for an environment friendly response ought to an assault happen.”
It’s important that enough cyber safety requirements are utilized proper alongside the provision chain, and never solely within the retail enterprise itself. This may be troublesome to handle, significantly with decrease tier suppliers which are much less seen.
Wallis says: “Threat assessments should be carried out with supply-chain mapping finish to finish in place to establish any weaknesses.”
Primarily based on Wallis’ expertise, the required know-how funding in lots of retailers is now rising, with many seeking to implement just-in-time techniques, and different cell and web of issues (IoT) gadgets into their shops and warehouses to supply an additional degree of safety.
However it’s not at all times simple to implement good safety habits. Multi-factor authentication (MFA), for instance, has rapidly turn into a necessity so as to add a layer of safety towards breaches.
“However many are seeing it as a hindrance, preferring to omit it and share accounts amongst quite a few workers on shift rotations for ease,” Fardell says. “Password reset and MFA enrolment processes outsourced to third-party IT suppliers have to be dialled again to a state of zero belief, whereby no assumptions are made concerning the identification of the person. Suppliers should be capable of verify the account holder’s identification from data saved exterior of the domains earlier than actioning any adjustments.”
Migration complications
One other problem for retailers is migrating from one know-how system to a different. Migrations include many potential pitfalls, together with unplanned system downtime resulting in misplaced buying and selling, and the brand new system not working as anticipated, resulting in rebuilds and delays. The problem is to modernise legacy techniques and processes with out compromising ongoing operations, buyer expertise or margins.
To make sure continuity and keep away from downtime throughout migrations, retailers ought to keep away from an over-reliance on a single SaaS or cloud supplier and put in place techniques structure that may swap to backup if wanted.
“Outages with a single supplier can utterly halt a enterprise operation, in addition to [introducing] a single level of failure,” Wallis says.
Extra importantly, all companies want a dwell catastrophe restoration plan, as issues are endlessly altering, with Wallis including: “I’ve usually seen this plan developed after which it sits within the backside drawer, solely to be introduced into motion when it’s too late.”
Whereas manufacturers perceive the necessity to modernise, IT overhauls can introduce dangers together with potential knowledge loss, or spiralling prices if the incorrect platform for industry-specific wants is chosen.
“With financial pressures and buyer expectations continuously rising, we at the moment are seeing extra manufacturers succeeding with a better, lower-risk strategy,” says Behrenfeldt. “This entails utilizing modular, cloud-first platforms that permit them rework key enterprise features, like stock monitoring or pricing, with out halting operations.”
This phased technique lets retailers keep a powerful buyer expertise and protects margins, whereas unlocking longer-term efficiencies, all with restricted downtime.
“Integration layers and low-code configuration instruments are additionally making it simpler to attach legacy techniques to trendy capabilities,” Behrenfeldt provides.
The state of affairs for retailers is unlikely to out of the blue enhance any time quickly. There’s no predicted upturn in gross sales on the close to horizon; hackers are having fun with their successes towards big-name retail manufacturers; world and financial instability continues to trigger provide chain disruptions; and organisations nonetheless operating legacy techniques have to migrate to extra trendy platforms. By following the recommendation above, retailers can construct a enterprise resilient sufficient to beat these a number of challenges.
