Retail’s Reality Check: Closing the Cyber Resilience Gap

Understanding the Resilience Gap

According to our research, 80% of retail IT leaders are confident that their risk, identity and access, asset, and incident management controls could prevent a cyber-attack. Look deeper, however, and cracks begin to show. For example, 86% think their organisation is more at risk than it was a year ago – and a similar number feel the same about the sector in general. Can confidence really be that high under those conditions?

Respondents also told us that supply chain disruption is constant across all common forms of cyber-attack, affecting operations, business continuity, and partner relationships. Yet this is the area where survey respondents had the least confidence in their ability to prevent an incident. Again, can reported confidence really hold up against that reality?

Recovery times further underline the gap between perceived confidence and actual resilience. Only 13% of retailers fully recover within six days. Fewer than a third return to normal within three weeks. More than a third take one to six months, and close to 20% take seven to twelve months. If confidence were based on lived experience, these figures would prompt urgent re-evaluation. Instead, confidence stays high while recovery stays slow. Retailers need a reality check – and a plan. Here are three suggestions to get back on track:

Audit What You Don’t See

It’s relatively easy for retailers to audit the parts of their environment they already understand or feel confident about. It feels safe. You can feel confident. But that’s the problem. The real challenge is identifying the overlooked areas that cause sleepless nights: the places where bad actors lie in wait. Integration points, dependencies, and operational weak spots create exposure long before ransom demands arrive or the supply chain is compromised.

We recommend beginning with a realistic risk register. In our experience, retailers tend to catalogue everything but prioritise nothing, which creates a false sense of completeness. Worse, the document often remains static and is rarely referenced or updated. A meaningful audit supported by an active, prioritised risk register trims the noise and highlights the weaknesses that create the greatest downstream disruption.

Retailers also need visibility on the dependencies that determine how failure travels across their environment. They need to know which systems connect to which partners, as well as who owns access, and where responsibility boundaries might shift or blur. They can’t control their suppliers, but they can understand how their systems interact with them and whether those interactions reinforce resilience or undermine it.

Engineer For Disruption, Not Defence

Many retailers don’t benchmark their risk exposure or their progress in improving resilience. This contributes to overstated confidence and a persistent resilience gap. How do you test confidence without a baseline? The truth is that many don’t. Independent data from our Cyber Security Whitepaper shows that one in five senior IT security professionals rely on gut feel to assess cyber security effectiveness. That’s bad news. Without a baseline, it’s hard to see whether capability is strengthening or slipping. Benchmarking helps identify strengths and gaps and build a realistic long-term plan.

The key is to understand what fails first during an incident. Retail systems are interconnected: payments rely on identity, logistics on APIs, and customer-facing services on external integrations. That’s why POS and e-commerce skimming often triggers broader disruption, reputational damage, and payment failures. Identifying which dependencies collapse earliest helps protect the processes at greatest risk.

Complex environments make this harder. Hybrid and multi-cloud retailers experience slower, less predictable recoveries. This doesn’t require changing architecture. It requires closer attention to baselining and recovery sequencing, because complexity amplifies gaps.

It’s also important to understand the order in which systems must be restored. The long, inconsistent recovery windows reported by respondents suggest many organisations aren’t bringing systems back online in the sequence the business needs. Testing reveals gaps that only surface during real incidents and turns resilience into a repeatable capability.

If this all feels a long way from box-ticking compliance, that’s a good thing. Compliance tells you whether controls exist. Tested recovery shows how a retailer will cope when the worst happens.

Close the Human Gap

Supply chain disruption is the most common consequence of a cyber-attack, whether triggered by phishing, DDoS, or ransomware. It’s also a frequent outcome of insider threat incidents. Most insider threat incidents aren’t malicious, but that’s little consolation. Accidental behaviour gives attackers the access they need to cause wider disruption. Whether malicious or accidental, our data shows that supply chain disruption is the most common outcome. As such, retailers are leaving themselves exposed to potentially months of operational disruption.

Retailers can reduce this risk by tightening access controls, removing permissions as soon as roles change, and monitoring for unusual account activity that may indicate compromise. And when incidents do occur, strong containment measures and tested recovery processes stop a single mistake from becoming a full-scale outage.

Education should also be part of the response. Regular, relevant awareness reminders help staff recognise phishing attempts and other tactics used to hijack accounts. Most attack patterns retailers experience rely on trickery, panic, a lack of awareness – or a mix of all three. The good news is retailers don’t need extensive training programmes, but they do need reminders that highlight practical precautions and preventative steps. Even small improvements in awareness can prevent incidents that would otherwise ripple across operations.

Customer-side compromise also creates strain, underscoring that the human gap outside the retailer’s environment is equally concerning. Retailers can warn customers about scams and design journeys that limit the damage caused by stolen credentials, but they can’t prevent every compromise. These reminders remain essential: even when the customer is the victim, retailers often bear the reputational impact. To that end, retailers must ensure that when customers are compromised, their own systems don’t amplify the damage. That comes back to structured, meaningful audits, an active risk register, and improved resilience.

Confidence Alone Won’t Carry Retailers Through 2026

Retailers have many reasons to feel confident in their cyber security posture, but confidence alone can be misleading. The danger comes when that confidence clouds judgement, slows improvement, and becomes a barrier to securing the investment needed for real resilience.

Creating systems and processes that enable IT leaders to report on cyber strengths and weaknesses honestly and transparently is a far better long-term strategy. It builds genuine resilience and, if an attack occurs, ensures everyone knows the procedure for getting the organisation back up and running with minimal operational and reputational damage. Ultimately, confidence isn’t the measure that matters. Confidence is easy. Resilience is earned.

If you haven’t already, download the Six Degrees Retail Whitepaper for in-depth insights into the UK retail tech landscape in 2026.