top of page

1 in 8 retail businesses have suffered a cyber attack in the last 12 months

Do you own a shop on Shopify or Etsy? Or perhaps you run your store primarily through Instagram’s online store front? Did you know that according to cyber rating company Security Scorecard, retail was ranked the least secure out of 18 industries for social engineering, which sees hackers targeting retailers through baiting, phishing or vishing.

In the Department of Culture, Media and Sports Cyber Security Breaches survey for 2021, it was revealed that among private businesses, the sectors where it is most common for customers to book or pay online are, as might be expected, the food and hospitality sector (57%, vs. 30% overall) and the retail and wholesale sector (40%).

In the last year, 1 in 8 retail businesses have reportedly faced being victims of a cyber attack but with the shift to online shopping as a result of the COVID 19 pandemic, this has not come as a surprise.

Within only a few months, the pandemic accelerated the shift to ecommerce/online stores by five years, meaning there is now more public and private data stored in the cloud than ever before.

Retailers should now be looking at their cyber security and understanding the risks associated with running an ecommerce store. No retail business is too small to consider cyber security, whether you have 10 customers or 10,000, the information you retain on them is still of huge value to cyber criminals.

It’s important to understand that there are many types of customer data, global audit and assurance company Deloitte have categorised four different types of customer data. They are:

  • Account: Personal and transactional data, such as name and address

  • Location: Physical location through mobile phone location, and virtual location through IP address

  • Browsing: Browsing habits, including what, when and where

  • Profile: Data from third parties, such as demographics and social media

Here are 7 things you can do to protect this data and in turn, better protect your business:

Secure your data, secure your budget Whilst cyber security might not be something you have budgeted for, it is something that certainly that should be. With 39% of businesses falling victim to a cyber-attack, it is important that as a retailer you have a robust budget or you risk losing much more if your business is hit by cyber criminals.

It’s sensitive for a reason Information and data that is moved from one system or device to another is open to retail security threats. If you are transporting data, make sure the data is encrypted so it has extra protection when traveling and can only be accessed with a decryption key. Customer data is sensitive and should therefore always be transported in an encrypted environment.

*Data encryption translates data into another form, or code, so that only people with access to a secret key (formally called a decryption key) or password can read it.

Don’t avoid the physical risks Within retail stores there are many physical assets that can increase the risk of a cyber-attack. If you have a self-scanner, till or computer within your premises then you need to consider the risk these pose. Any till or point-of-sale system should be regularly scanned with anti-malware software and you should be keeping this point-of-sale system on a different network to all other computer devices. You can read more on the risk of point of sale in our blog.

Your employees can be your biggest asset and risk A recent report by a global technology company has revealed that 65% of security incidents are as a result of employee negligence, so training your employees on the basics of good cyber security is key. The turnover of employees in the retail sector is understandably higher than other industries, high numbers of part-time and seasonal employees often means they miss out on any cyber security training. However, adding this to the onboarding process of all employees would be a simple way to ensure everyone has had the relevant training.

Boost your security with malware protection To help your business defend itself against cyber-attacks, its essential that you have malware protection installed on your devices or devices that use your networks and that the software is regularly updated.

Be aware of how much time your employees use their devices in your retail store and reduce this as much as possible, this will help to minimise the risks posed by their own poor cyber security hygiene.

Don’t pass the password IT software provider SecureLink reported that 81% of malicious breaches start with compromised passwords, so don’t underestimate the importance of password hygiene. If your employees are using weak passwords to access your systems and these are harvested in a breach elsewhere, cyber criminals then have access to your systems.

Follow the National Cyber Security Centre’s Cyber Aware password best practices to help strengthen passwords:

  • Use a strong and separate password for your email. If a hacker gets into your email, they could reset your other account passwords and access information you have saved about yourself or your business. Your email password should be strong and different to all your other passwords.

  • Create strong passwords using three random words - when you use different passwords for your important accounts, it can be hard to remember them all.

  • Do not use words that can be guessed (like your pet’s name). You can include numbers and symbols if you need to. For example, “RedPantsTree4!”

  • Saving your passwords in your web browser will help you manage them and can protect you against some cybercrime, such as fake websites.

Interested in more receiving guidance like this?

If your business is in either the retail industry, then we are here for you.

Businesses in the West Midlands can sign up for a free membership online and receive a welcome pack full of practical resources and tools that will help you identify your risks and vulnerabilities and the steps you can take to increase your levels of protection. Through your membership, you will also get regular updates on new threats, designed to help you stay safer.

Take a look on our website


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page