Dave McGrail, Head of Business Consultancy at Xalient, and Chris Woods, Founder and CEO at CyberQ Group, explore how retailers in the UK should react when facing a cybersecurity incident, both during the immediate aftermath and in the long term.
It won’t happen to me
You have that unenviable sinking feeling when you suddenly realise you’ve been breached.
In fact, many people struggle to comprehend how their systems or data were compromised. There’s often a frantic rush to contain the breach and assess the extent of the damage. Without clear information, victims often feel overwhelmed about what actions to take next. Especially if security measures were believed to be strong, the realisation of a breach can be deeply stressful and incredibly frustrating.
Stay vigilant for the early warning signs
Attacks of this nature often start with subtle warning signs before more obvious system disruptions get underway. These include password changes, unfamiliar logins from odd locations, or new admin accounts appearing without authorisation. Your website suddenly slows, or you experience performance issues, crashes, and erratic behaviour in your apps and your website.
You notice important files being moved, deleted, or encrypted without user intervention, signalling there might be ransomware. You can see there are unauthorised devices connecting to the network and suspicious new user accounts gaining access.
Your worst fears have been confirmed as you face the fact, like many other retail businesses recently, you are under attack and your systems have been compromised.
So, what happens next?
Typically, when an attack happens, hackers will look to exploit any vulnerabilities to gain access to sensitive systems or data. They do this to steal confidential information and/or to encrypt files in ransomware attacks. Your systems may be shut down, your websites disabled, or transactions blocked.
The attack may disrupt online orders, contactless payments, and your click-and-collect services for days, weeks or even months, which depending on the severity could have a huge impact on profits.
Hackers may access personal customer data such as names, addresses, dates of birth, payment details or passwords. There could be operational disruptions with you needing to pause online orders and your stores may face empty shelves due to IT system changes and restoring your services may take time.
Reporting breaches to the regulators and essential next steps
Organisations experiencing a cyber incident may need to report it to the Information Commissioner’s Office (ICO), especially if personal data has been compromised. The ICO’s key reporting requirements outline that if the breach has a ‘significant impact’, it must be reported to the ICO within 24 hours. Likewise, if personal data is affected, organisations must notify the ICO within 72 hours of becoming aware of the breach. In some cases, businesses may need to inform affected users and the wider public.
Organisations should also consider reporting incidents to the National Cyber Security Centre (NCSC), which provides cybersecurity guidance.
Cyberattacks, like the recent spate on the retail sector, highlight the growing need for businesses to bolster their defences against digital threats. There are several key steps retailers can take to protect themselves after a cyber incident, focusing on containment, investigation, and resilience-building:
· Immediate containment and incident response plan
Organisations should immediately isolate affected systems to prevent further spread while identifying the attack vector and assessing the scope of the breach. They should implement a structured response strategy, including notifying relevant stakeholders and authorities as outlined above.
· Forensic investigation and threat analysis
Following immediate containment, the security team must conduct a deep-dive forensic analysis to understand how the attack occurred. Gathering as much evidence as possible for legal and compliance purposes and quickly implementing security patches to close vulnerabilities. Once this has taken place, gradually start to restore systems using clean backups to prevent reinfection.
· Strengthening access controls
Going forward the organisation should consider implementing multi-factor authentication (MFA) for employees and third-party vendors. Using role-based access to limit exposure to sensitive data. They must conduct regular security audits on privileged accounts and look to strengthen identity and access management.
· Invest in employee training
Humans are often the weak link, therefore educating staff on social engineering tactics like phishing and pretexting is vital. But make sure you regularly conduct cybersecurity drills to test responses to potential attacks. Likewise, develop clear protocols for reporting suspicious activity.
· Secure IT infrastructure and data
Where appropriate, apply zero-trust security frameworks to minimise risk. Regularly update and patch software to protect against vulnerabilities, encrypting sensitive customer data to prevent breaches and look to improve your network defences.
· Invest in long-term resilience and future prevention
Make sure you conduct post-incident reviews to refine security strategies. Furthermore, consider investing in AI-driven threat detection for proactive defence and think about how you can strengthen supply chain security to mitigate third-party risks. You might also want to consider investing in SASE (Secure Access Service Edge) solutions to future-proof security infrastructure.
Call in the experts
According to IBM, the global average cost of a data breach in 2024 reached $4.88 million, marking a 10% increase from the previous year. Specifically, retailers faced a significant rise in cyberattacks in 2024. According to the Cyber Security Breaches Survey 2024, 50% of businesses reported experiencing a cyberattack, with phishing (84%) being the most common method. Clearly cyberattacks can have lasting effects that not only cost millions of pounds to recover from, while damaging reputations, but they can even destroy a business. Therefore, taking proactive security measures is essential for the health of the business and the wellbeing of employees. Afterall nobody wants to start their day facing the chaos of a security breach.
Retailers can seek help from cybersecurity experts, specialist firms like Xalient and CyberQ are well practised at helping prevent incidents from occurring and/or supporting put in place the cybersecurity resilience required if you have unfortunately experienced an incident. Additionally, authorities like the NCSC are a good source for guidance on how to enhance cybersecurity resilience.
