Retailers are not having an easy time. The June 2025 report from the CBI reveals that retail sales fell for the ninth consecutive month and are expected to continue their rapid decline throughout July.
There was a thin sliver of light, as online retail sales volumes grew slightly and are predicted to rise again next month. However, these increases are small by comparison with the drop in overall sales, mainly due to ongoing consumer caution in the face of cost-of-living increases.
Consumer confidence won’t have been helped by two major retail hacks in 2025. In April, department store Marks and Spencer (M&S) was the victim of a cyber attack, which had a wide-ranging and damaging fallout. The store was initially unable to process contactless payments or click and collect orders in stores and had to pause online and app orders for weeks after the attack.
On top of the reputational damage associated with having to admit to customers the business – and possibly their own sensitive data – has been breached, there was a significant financial hit too. M&S estimates the hack will make a £300m dent in earnings, while it saw more than £1bn wiped off its market value in the wake of the attack.
Supermarket chain the Co-op also hit the headlines in April after it suffered a similar cyber attack, which again saw customer data stolen, store shelves left bare and a financial hit estimated in the hundreds of millions.
The attacks highlighted how vulnerable retailers can be to hackers, and how even the biggest names on the high street don’t have adequate processes in place to respond to and recover from incidents quickly. This means pausing trading and taking large financial hits.
Disruption prevention
The combination of the ongoing downturn in sales along with determined hacking groups shows the need for retailers to work harder to build resilient systems. These systems need to not only be more difficult to break into to prevent cyber attacks, but also have processes in place that make it easier to recover from incidents, whether a hack, supply chain disruption or downtime associated with system migrations.
The retail industry is learning very quickly from recent events, according to Claire Wallis, consumer goods and retail director at management consultancy BearingPoint. Digital resilience is becoming a key priority, with a growing realisation that ensuring all critical systems – point of sale, payment, e-commerce platforms – have robust backup coverage is essential.
“These must be tested frequently and updated given the scale of change and knowledge growth from the cyber criminals,” Wallis adds.
With the phase-out of third-party cookies and rising ownership of first-party data, retailers are becoming prime targets for cyber attacks, due to the high volume of customer and financial transaction data they’re now storing.
“Data privacy tools to protect customer data are a must with investment in the right tools to prevent data loss,” says Wallis. “The impact on customer confidence is vast if data is accessed as we have seen many succumb to this year.”
Insurance policy
While retailers can take an additional step of purchasing specialist insurance against cyber attacks, this isn’t prevalent. A 2024 survey from NFU Mutual shows that only 11% had taken out cyber insurance in the previous 12 months despite 53% of retailers saying they had fallen victim to cyber crime.
Cyber insurance should be considered by more retailers as it offers a crucial safety net for these organisations that are firmly in the sights of dangerous cyber criminals continually evolving their tactics.
“Insured [retailers] have access to a team of cyber security experts, lawyers, forensics and communications specialists who can provide expert counsel to guide them through what is often the worst day of their professional lives,” says Luke Fardell, cyber security specialist at insurer Tokio Marine Kiln.
“In an increasingly volatile cyber threat landscape, there is growing emphasis on horizon scanning and helping the insured stay on top of emerging threats. When it comes to cyber risk, prevention is better than the cure.”
Due diligence
Supply chains are major weak spots for retailers, and none more so than the fashion sector, where they’re under immense pressure to stay agile and responsive in a world of unpredictable delays.
More brands are prioritising operational resilience as a result, with many moving towards more connected, real-time operating models such as cloud-based enterprise resource planning (ERP) and intelligent planning platforms. The aim is to unify suppliers, logistics and inventory into a single digital view.
“This approach breaks down silos and it surfaces early warnings, including flagging late shipments, material shortages and demand spikes, so teams can reroute production or shift sourcing in real time,” says Helene Behrenfeldt, industry solutions director of fashion at Infor. “We’re also seeing process mining gaining traction, which uses system data to map and analyse how work actually happens, helping to flag issues earlier and trigger automated responses through AI.”
Shadow IT along the supply chain is another challenge retailers face. This is where IT hardware, software or services are adopted by third-party suppliers without approval, meaning the appropriate risk assessment and due diligence never takes place.
“There are widespread failures in undertaking due diligence in relation to suppliers when onboarding them, as well as failures to monitor and enforce security requirements that suppliers should be putting in place,” says Kristina Holt, managing associate at law firm Foot Anstey.
“Conducting due diligence on suppliers that will process personal data on businesses’ behalf is an oft-overlooked obligation under the UK GDPR, and one that we expect will get focus now that the complexity, and therefore risk, associated with supply chains is greater.”
Building resilience into supply chains can feel like an overwhelming issue due to the complexity of managing not only their own risk, but that of every partner and supplier. A sensible way to approach this mammoth task is by starting with a focus on key systems that are integral to operations, protecting these first and then moving on to other systems, Holt advises.
The most important step to supply chain resilience and future-proofing operations is good governance. This entails ensuring all technology and services used are subject to approvals, and due diligence being a core element of any implementations.
Conducting due diligence on suppliers that will process personal data on businesses’ behalf is an oft-overlooked obligation under the UK GDPR Kristina Holt, Foot Anstey
“Following this, appropriate requirements should be placed on providers in contracts,” says Holt. “These requirements should be subject to ongoing due diligence to ensure that they are being implemented effectively. This will involve strong levels of coordination internally between procurement, legal, technical and operational teams, and externally with suppliers.”
Establishing a coordinated response team to deal with arising issues and ensure business continuity is another must, and this team should always include legal, IT and comms.
“People are also crucial in safeguarding against and spotting attacks,” Holt says. “It’s of critical importance to engage and educate employees not only to prevent attacks from happening but to also allow for an efficient response should an attack occur.”
It’s vital that adequate cyber security standards are applied right along the supply chain, and not only in the retail business itself. This can be difficult to manage, particularly with lower tier suppliers that are less visible.
Wallis says: “Risk assessments must be carried out with supply-chain mapping end to end in place to identify any weaknesses.”
Based on Wallis’ experience, the necessary technology investment in many retailers is now rising, with many looking to implement just-in-time systems, and other mobile and internet of things (IoT) devices into their stores and warehouses to provide an extra level of protection.
But it’s not always easy to enforce good security habits. Multi-factor authentication (MFA), for example, has quickly become a necessity to add a layer of protection against breaches.
“But many are seeing it as a hindrance, preferring to omit it and share accounts among numerous staff on shift rotations for ease,” Fardell says. “Password reset and MFA enrolment processes outsourced to third-party IT providers need to be dialled back to a state of zero trust, whereby no assumptions are made about the identity of the user. Suppliers must be able to confirm the account holder’s identity from information stored outside of the domains before actioning any changes.”
Migration headaches
Another challenge for retailers is migrating from one technology system to another. Migrations come with many potential pitfalls, including unplanned system downtime leading to lost trading, and the new system not working as expected, leading to rebuilds and delays. The challenge is to modernise legacy systems and processes without compromising ongoing operations, customer experience or margins.
To ensure continuity and avoid downtime during migrations, retailers should avoid an over-reliance on a single SaaS or cloud provider and put in place systems architecture that can switch to backup if needed.
“Outages with a single provider can completely halt a business operation, as well as [introducing] a single point of failure,” Wallis says.
More importantly, all businesses need a live disaster recovery plan, as things are forever changing, with Wallis adding: “I’ve often seen this plan developed and then it sits in the bottom drawer, only to be brought into action when it’s too late.”
While brands understand the need to modernise, IT overhauls can introduce risks including potential data loss, or spiralling costs if the wrong platform for industry-specific needs is chosen.
“With economic pressures and customer expectations constantly rising, we are now seeing more brands succeeding with a smarter, lower-risk approach,” says Behrenfeldt. “This involves using modular, cloud-first platforms that let them transform key business functions, like inventory tracking or pricing, without halting operations.”
This phased method lets retailers maintain a strong customer experience and protects margins, while unlocking longer-term efficiencies, all with limited downtime.
“Integration layers and low-code configuration tools are also making it easier to connect legacy systems to modern capabilities,” Behrenfeldt adds.
The situation for retailers is unlikely to suddenly improve any time soon. There’s no predicted upturn in sales on the near horizon; hackers are enjoying their successes against big-name retail brands; global and economic instability continues to cause supply chain disruptions; and organisations still running legacy systems need to migrate to more modern platforms. By following the advice above, retailers can build a business resilient enough to overcome these multiple challenges.
