Reconsidering responsibility for cyber security in retail

Cyberattacks on the UK’s biggest supermarkets are becoming more frequent, more disruptive and more costly. In the next article in our series on unlocking value in 2025, we explore why it’s time for retailers to rethink not just their cyber defences, but who in the business is responsible for them.

Millions in lost sales, personal data stolen and online orders suspended for months – the impact of the ongoing cyber security attacks affecting retailers including M&S, Co-op and Harrods have provided a sobering wake-up call for UK grocery and retail.

Far from the only high-profile attack to strike leading supermarkets in recent months, it’s now clearer than ever before that cyber security is a cornerstone of maintaining service, availability and consumer trust.

As a result, there’s little doubt all UK supermarkets and their suppliers will be closely scrutinising their cyber defences in the months to come. Already, M&S has said that it plans to ‘improve technology foundations, simplify infrastructure and applications…and lower technology run costs’ in a bid to protect against future incidents.

But alongside new tools and technologies to fend off attacks, is there also a case for rethinking where in an organisation the responsibility for cyber security lies?

Tim Fletcher

Director, Cyber Security in Corporates

KPMG in the UK

mail

Increasing exposure

Exposure to cyber-attacks in UK grocery retail has risen sharply in recent years.

If, 10 years ago, leading grocers were managing a relatively manageable stable of core tech underpinning their predominantly offline presence, then the shift to omnichannel, the digitisation of data from exponentially grown loyalty schemes and the increasing level of experimentation with new platforms, tools and revenue streams, including the likes of retail media, have led to a far more complex and fragmented picture.

Sadly, all of this great digitisation for customers has made grocery retailers more of a target for hackers, points out Tim Fletcher, director in KPMG’s cyber security services team. “The more technology facing out to your customers, the larger and more complex the attack surface becomes,” he says.

But what amplifies that exposure further is the fact that many retailers have failed to evolve the way in which they manage cyber security in line with this new digital-first landscape.

In that regard, “retailers are definitely behind the curve when it comes to effective cyber risk management,” says Neil Hare-Brown, CEO at Storm Guidance. “It’s clear that their boards consider that cyber risk is still very much in the domain of information technology (IT), that it’s an IT challenge.”

In today’s digital world, cyber security is not just an IT concern for technical experts – it is a business-critical risk which demands board-level attention.

Sarah Lyons

Deputy director for economy and society at the National Cyber Security Centre

In most cases, responsibility still lies with a siloed specialist team, reporting to the CISO and without the bandwidth to oversee every digital product.

But this narrow view can create blind spots, particularly given “the areas that modern cyber criminals are seeking to exploit are often outside the remit of a CIO, CISO or IT manager”, says Hare-Brown.

There’s no suggestion that this directly contributed to the recent spate of attacks or impacted responses. The Co-op says that “following the malicious third-party cyber-attack, we took early and decisive action to restrict access to our systems in order to protect our Co-op.” Meanwhile, M&S chief executive Stuart Machin has said the supermarket “tackled [the incident] head on with incredible spirit, teamwork and deep sense of responsibility as we prioritised serving our customers”.

Nevertheless, it’s a shortfall that many retailers need to address, agrees Sarah Lyons, deputy director for economy and society at the National Cyber Security Centre. “In today’s digital world, where organisations increasingly rely on data and technology to operate, cyber security is not just an IT concern for technical experts – it is a business-critical risk which demands board-level attention.”

Embedding cyber

Nobody in an organisation – from the CEO to a store cashier – is immune from being targeted, and once any colleague ‘opens the door’, the hacker is in. That should be reflected in how retailers approach the scale of cyber literacy and awareness across the business, for all colleagues.

At Sainsbury’s, which experienced significant disruption following the ransomware attack on a third-party partner last year, it’s an approach they’re already started to put in place. All of its colleagues are now required to complete mandatory training on ‘how to keep our information safe,’ outlined the supermarket in its 2024 annual report. ‘This is supplemented by regular colleague awareness campaigns, focusing on specific aspects of data and information security, for example monthly e-mail phishing exercises, with results reported to the DGC and defined escalations for colleagues who fail.’

But for Fletcher, it’s the “stressed middle” layer of management in particular where there are significant untapped opportunities to build up knowledge, understanding and share accountability.

If these teams are properly empowered, trained and have access to the right resources at the right time, they can help defend the organisation against cyber-attacks.

Tim Fletcher

Director of cyber security services at KPMG

“Retailers and grocers need to embed cyber as a shared responsibility model across the entire organisation, guided by the CISO, but also with input from front-line operational teams where decisions are made on a day-to-day basis and which may introduce cyber risk to the organisation,” he says. “If these teams are properly empowered, trained and have access to the right resources at the right time, they can help defend the organisation against cyber-attacks.”

For example, cyber protocols and checklists could be embedded into the workflows of development teams designing innovation, he suggests. Currently, “what I see in a lot of my retail clients is that they have technology development teams focused on fast output but without the right cyber skills embedded within the core skills and capabilities in programme teams,” he says. “Either the team delivering doesn’t understand the risk as they aren’t cyber experts, or they don’t have the right resources to make that part of the process.”

To address this, “there could be risk indicators integrated into the development life cycle for technology,” he says. “These could green-light when access management seems to be occurring in line with policies and standards. You could even gamify it to a degree, but it needs to be really understandable and clear so that your business technology teams know the risk they’re accepting by making certain decisions.”

Re-evaluating third-parties

In a bid to build more robust cyber defences, retailers may also need to revaluate how they work with third parties, including both the supply chain and technology and other service providers.

With more complex, multichannel operations, retailers today inevitably rely more heavily on third-party vendors. But just as with innovation pipelines, these external relationships can leave them exposed to new angles of attack if they aren’t managed carefully. Already, Tesco says it has introduced a supplier assurance programme focusing on third-party, cyber-security risks to address this, and the Co-op regularly tests for security weaknesses in its supplier base.

“The retailer might not control the technology, the vendor or what they do, but if something breaks it’s still part of their value chain,” says Fletcher.

“Again, it comes back to who takes ownership for security risks? Who’s responsible for that part of the puzzle? You can’t delegate accountability to a third-party completely. You still have an obligation to your customer to make sure that supply chains aren’t hit by major disruptions, leading to shortages on shelf, and that their data is protected.”

And with CISOs and their stretched teams unable to monitor each third-party relationship, it’s imperative that the team into which the vendor directly reports has been trained to understand the impact that supplier has on the value chain, including cyber, and can call in their cyber specialist colleagues at the right time.

Everyone’s responsibility

Ultimately, in today’s densely digitised commerce landscape, there’s no change that will leave a retailer invulnerable to cyber-attacks.

It’s why any robust retail cyber strategy should also incorporate regular practice runs, with simulated attacks to test both defences and various teams on how they would (and should) respond. Doing so can “build muscle memory which can mean the difference between a chaotic and a well-co-ordinated response” should an attack occur, says Fletcher.

But by recognising cyber security as the core, shared responsibility it is in today’s modern grocery landscape – rather than the sole domain of an overburdened security team – senior leadership can ensure everyone can play their part in fending off the next attack.