Recent cybersecurity breaches across some of the biggest names in UK retail continue to make huge headlines. In recent weeks, M&S, the Co-op and Harrods have all been targeted, with a report in the FT putting the likely insurance claim from M&S alone at around £100 million.

These incidents aren’t isolated, they reflect a broader trend of increasing pressure on retail cybersecurity, where threat actors are actively targeting the sector’s systemic weaknesses.

In the case of Co-op, according to the BBC, the company “narrowly averted being locked out of its computer systems” by taking its own networks offline before hackers could fully breach its perimeter.

On May 1st, Harrods confirmed it had also been targeted but by restricting internet access has been able to keep its stores and online shopping services open. Fast forward two weeks to mid-May, and the attacks have also targeted stores in the US, underlining the scale and ambition of the campaign.

What’s especially concerning is how easily these attacks can be carried out. In many situations, there’s nothing particularly advanced or high-tech about the tactics being employed by threat actors, who typically rely on phishing, social engineering and MFA fatigue to gain access. In effect, they’re not breaking in, they’re logging in, and it’s a strategy that relies less on exploiting software vulnerabilities and more on taking advantage of human behaviour.

As a result, cyber insurance premiums are expected to rise by 10 percent across the retail sector, according to the FT: highlighting the financial impact of attacks that exploit human behaviour.

If the recent sector-specific statement from the NCSC is anything to go by, there is clearly a feeling that retailers need to focus more directly on preparation and resilience. Specifically, they are advised to review their help desk password reset processes to prevent impersonation attempts, enable two-step verification across systems and actively monitor for suspicious activity.

Crucially, they are also urged to ensure incident response plans are in place and regularly tested, so teams are ready to act quickly if a breach occurs.

Sector-Specific Challenges

Part of the problem for retailers is that they are particularly exposed to these kinds of risks and vulnerabilities. Large workforces, high staff turnover, third-party dependencies and a constant need for uptime all combine to create an environment that’s difficult to defend.

Add to that the value of the data retailers hold, such as payment details, personal identifiable information and transaction histories, and it’s clear why the sector has become such a big target.

Attackers also view the data they steal as a long-term asset for attackers, operating a “harvest now, decrypt later” approach whereby they exfiltrate encrypted data today in the hope of cracking it with more powerful tools (such as quantum or AI-enhanced decryption) at some point down the line.

As M&S are all too aware, breaches have a major financial, reputational, and operational impact. Having first come to light over the Easter weekend, the company is still recovering from the attack a month later, having confirmed that some customer data was stolen and with one estimate putting the cost of lost sales at £43 million a week.

Looking more broadly at the sector as a whole, for many retailers, the real challenge lies in overcoming outdated assumptions about trust and access. Too often, businesses still operate in the belief that anything inside the network is safe.

With attackers using legitimate credentials to move laterally across systems, that perimeter-focused model no longer holds up. The priority has to shift from building bigger walls to strengthening internal resilience.

That means assuming breaches will happen and investing in the ability to detect, contain and recover quickly. It marks a shift from cyber protection to cyber resilience, focusing not just on keeping attackers out but on limiting their impact when they get in.

From user awareness training and real-time monitoring to network segmentation and integrated response tools, the goal is to reduce the window of opportunity at every stage. Zero trust architectures reinforce this by removing implicit trust, continuously verifying identity and context, and enforcing least-privilege access to limit how far an attacker can move, even if they do gain access.

Groundhog Day

The NCSC advice represents an essential baseline for delivering better protection and resilience. To go further, however, retailers need a better understanding of where their data resides, who has access and how attackers might exploit not just systems, but also people, internal processes and their wider supply chain.

They also need real-time insight into login activity, privilege changes and behavioural anomalies to spot threats before they escalate. This must be supported by regular testing, from phishing simulations to red-team exercises, so teams can identify weaknesses and build the muscle memory needed to respond effectively.

Training and testing also need to evolve. One-off eLearning isn’t enough, and staff need relevant, scenario-based guidance that reflects real-world risks and prompts better decision-making in the moment. Crucially, this must be backed by a clear and frequently tested response plan, so when something goes wrong, every team knows their role and recovery can begin immediately.

Over time, the likes of M&S will recover – but unless a concerted, sector-wide effort is made, retail is likely to face more Groundhog Day security situations in the future. Breaking that cycle requires more than technical fixes. It demands strategic oversight, with security recognised as a board-level priority that directly impacts brand, operations and the bottom line.

Glenn Akester Technology Director for Cyber Security & Networks Node4