But according to law firm TLT partner, Ed Hayes, a year on from the cyber incidents that rocked the retail sector, retailers are still framing the problem too narrowly.

“Cyber risk is increasingly a supply chain problem rather than a purely IT one,” he says, adding that while progress has been made, it has been uneven and often reactive.

“There’s been an improvement in recent years in the amount of attention it’s getting,” he says, “and partly that’s been driven by the cyber attacks that have made it into the press.”

For years, he suggests, IT security sat in something of a “backwater”, a cost centre, not a strategic function. That legacy still shapes how retailers think about risk, and something that companies need to reassess going forward.

The ‘hidden gateways’

Hayes does not believe most retailers could confidently map every digital entry point into their business.

“If you went into most retailers,” he says, “I don’t think they’d understand or be able to point to the entirety of their supply chain, and where the risk lies.”

The reason is not necessarily negligence, but it’s structure. In many businesses, “anyone can enter a new contract up to a certain financial tolerance”.

Photo: The spring cyber attacks on M&S and Co-op led to empty shelves and disrupted operations

So, a marketing team, for example, might sign off a low-value agreement with a new platform without involving IT or cyber teams. “They see it as a marketing tool,” Hayes explains, “and they don’t think about the fact that, to make it work, there’s going to be connections into their systems.”

But over time, those seemingly small integrations build-up: “You get a risk profile in a lot of companies that people just don’t know about,” he says. Low-value suppliers, often with limited cyber maturity themselves, become potential entry points.

One real-world illustration came when US supply chain software provider Blue Yonder was attacked. The impact cascaded into multiple retailers, including Starbucks, disrupting workforce scheduling and showing how if only one supplier is attacked, many can be impacted.

This example, Hayes explains, shows retailers often underestimate the most dangerous parts of their ecosystem. “It’s almost the ones that don’t have a direct linkage into the IT team,” Hayes says. When non-technical departments grant system access, sometimes via shared passwords or informal integrations, they can inadvertently create a “backdoor” into corporate infrastructure.

Concerningly, more sophisticated still are attacks that exploit legitimate relationships. “It’s slightly more complex,” Hayes says, describing scenarios where a trusted third-party IT provider is compromised. Retailers expect updates and patches from that supplier, but instead, malicious code is deployed under the guise of routine maintenance.

In that context, the oft-cited ambition of “end-to-end visibility” feels optimistic.

So what does “good enough” look like?

“It comes down to a really tight perimeter,” Hayes says; minimum access, strict internal controls and no third-party connections without formal IT sign-off. The blunt truth, Hayes admits, is that if that slows things down, so be it.

But retailers must also assume suppliers will fail at some point, which means implementing workarounds and offline solutions.

For example, when Blue Yonder’s systems were disrupted, Starbucks had manual processes in place for staff scheduling, but others may not be so prepared.

“If all your deliveries are solely dependent on one warehouse,” Hayes says, “and a cyber attack on that warehouse takes it out of action, you’ve got a problem.”

Despite this, the obvious solution, (redundancy, secondary providers, backup systems), is rarely popular internally, especially among the top heads at a company in change of managing a budget.

“[CFOs will be saying] you’re telling me I’ve got to buy stuff I’m not going to use in order to mitigate a theoretical risk that might never arise,” he says, summarising the CFO’s likely response.

The cost of resilience

As a result, Hayes says that tension between cost and resilience runs through every supply chain decision.

“A lot of the top people, the CEO, the CFO, often don’t come from an IT background,” Hayes notes. There is, he says, a “deficit of knowledge” following the fact that IT has historically struggled for influence at board level, seen as a “cost centre” rather than a growth driver.

Moreover, security measures can also feel like friction with multi-factor authentication being received as ‘pesky’ and ‘finickity’ by adding seconds to a task and system checks slowing down onboarding in a sector obsessed with efficiency, where every second matter.

“A lot of the expense feels like preparing for a rainy day that might never come,” Hayes says. Therefore when faced with a choice between enhanced cyber controls or technology that “makes things move faster”, retailers have in the past often choose speed.

However, Hayes points out, that is of course, until something breaks. But what hurts most in a cyber incident, Hayes explains, depends on the retailer’s pain points. For grocers, it is simple: “food not being on the shelves”. Empty aisles travel fast on social media and quickly dent footfall.

For other retailers, the damage may be reputational, especially if customer data is exposed. “If children’s personal data gets exposed,” Hayes says, the impact can outweigh operational disruption.

There is also what he calls the “annoyance factor”. When shipping giant Maersk was paralysed by a cyber attack in 2017, few remember the IT provider at the root of the issue. “Everyone remembers that Maersk couldn’t move boats,” he says.

Recovery, he argues, comes down to redundancy and rehearsal. Retailers that are not “tied in exclusively to single vendors” can pivot faster. Those with detailed business continuity and disaster recovery plans, and who practise them like fire drills, fare better than those with policies gathering dust.

On paper, many retailers comply with standards such as PCI DSS and ISO 27001, which require regular testing. But in practice, Hayes sees a gap between theory and reality.

“You get the difference between paper compliance and real-world compliance,” he says. Policies exist, but they are not embedded. Exercises are scheduled, then postponed. Audit rights are written into contracts, then rarely used.

One persistent misconception, he adds, is that suppliers are doing what they say they are doing.

“It’s incredibly rare that retailers exercise audit rights over suppliers,” Hayes says. Signing a contract that mandates certain security standards is not the same as verifying them. Too often, that becomes clear only after an incident.

Regulation, consolidation and AI

Despite new proposals such as the UK’s Cyber Security and Resilience Bill, Hayes is sceptical that legislation alone will transform behaviour.

Data protection requirements have been in place “for donkey’s years”, he notes. “If retailers haven’t been putting in place the measures that are required under legislation that’s been in place already… why would anyone expect that another new law would change behaviour?”

So, instead Hayes says it will be incentives, not statutes, that shift retailer’s priorities, such as if bonuses depend on resilience metrics, it is likely to garner the attention of bosses.

However, legislation is not completely useless. Where regulation may have more impact is through supply-chain pressure, due to, as large retailers tighten contractual requirements, smaller suppliers may struggle to keep up.

Secretary of State for Science, Innovation, and Technology, Peter Kyle, said:

The Cyber Security and Resilience Bill, will help make the UK’s digital economy one of the most secure in the world – giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government. – April, 2025

The Cyber Security and Resilience Bill, will help make the UK’s digital economy one of the most secure in the world – giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government.

“As retailers become more aware of cyber risk, they start increasing the demands on their suppliers,” Hayes says. Smaller firms, such as a “five person marketing agency”, may find compliance costs outweigh contract value. The result is likely “inevitable consolidation”, with “smaller numbers who can commit to the standards that retailers want”.

Fewer suppliers also mean fewer potential attack vectors. Boards, for their part, have woken up. “I think 2025 changed things,” Hayes says. The wave of high-profile attacks shifted perceptions. Contracts are becoming “more robust”, and IT and security teams are being involved earlier in procurement rather than as an afterthought.

Yet headcount growth is not guaranteed. In retail, cyber teams are often small, sometimes “one person or a very small number of individuals”, occasionally doing the role “off the side of a desk”. Instead of hiring, many are turning to automation and AI.

AI can optimise supply chains and enhance security monitoring. But it is “only as good as the data that’s fed into it”. Used to make automated decisions, for example, forecasting demand or placing orders, it also becomes a new attack surface.

Agentic AI, capable of autonomously triggering purchasing decisions, “looks like a beautiful solution”, Hayes says. But if a malicious actor manipulates its inputs, for instance, distorting weather data to influence stock orders, disruption follows.

AI, he stresses, should be additive, not a replacement for human judgement. “It’s not instead of humans,” he says. Retailers still need people who understand their risk profile.

Looking ahead, if Hayes were designing a retailer from scratch, he says the starting point would be simple: no part of the business could grant system access to a supplier without cyber sign-off, supplier numbers would be consolidated, audit rights would be used and compliance would be tested, not assumed.

Cyber risk, in other words, would be treated as a core supply chain discipline, not an IT afterthought, but, for a sector built on razor-thin margins and relentless efficiency, that may be the hardest shift of all.

Click here to sign up to Retail Gazette‘s free daily email newsletter