top of page

Building stronger cyber defences in the retail sector

The British Retail Consortium Crime Survey 2023 says 40% of retailers reported increased cyber-attacks. The last few years have been incredibly challenging for the sector; the pandemic forced many to become e-commerce businesses overnight and not always with the full resource to ensure robust cyber protections were in place.

And now, the cost-of-living crisis has contributed to a surge in cybercrime, and earlier this year approximately 10 million JD Sports customers had their details stolen and Paypal had 35,000 client accounts compromised in an attack.

The crime survey also highlighted that more than 90% of retailers view phishing and ransomware as high or medium risk and that 38% of retailers ranked cyber security as one of the top three threats to their business over the next two years, up by 5%, while 15% placing it as the number one threat.

Why cyber security is a must have for small businesses in Wales

The essential need for cyber security in retail, as well as other sectors, is developing at an ever-quickening pace as omni-channel and digitised approaches to conducting business are adopted. Cloud storage, hybrid working, and utilisation of AI software are just some of the ways in which the retail industry is rapidly advancing.

Any kind of digital activity such as emailing, online banking and having social media accounts comes with risks, regardless of whether the reliance on it is minimal or substantial. The Cyber Resilience Centre for Wales (WCRC) is here to help small businesses in the retail space be safer against cyber threats.

It doesn’t matter if a business is based in Llanfflewyn, Tregaron, Narberth or Pontypool, or digital usage is towards the more basic end of the scale or progressing. Why? Because cybercriminals are equal opportunists and will target every business at some point.

The biggest threat to businesses

The UK Government’s Cyber Security Breaches Survey 2023 warns that phishing is the biggest threat to businesses. Phishing is when a business’ employees are contacted by email, telephone or SMS by cybercriminals posing as a legitimate person or organisation. The hacker will use clever tactics to lure employees into providing sensitive data such as personal information, banking and credit card details, and passwords.

Here are some signs of a potentially fraudulent email:

  • An urgent call to action

  • Spelling errors

  • By hovering your mouse over or tapping on the sender name, you will see an email address that differs from the one displayed

  • Requests personal /business-sensitive details

  • An unusual file type attachment

  • Sent at an odd time of day

  • Not addressed to a specific person

  • And often, something just doesn’t feel quite right so trust your gut feeling

If you’ve received something that looks suspicious, we encourage you to:

  1. Never click a link or attachment that you’re unsure about

  2. Verify the communication without replying to the message by calling the person who the message claims to be from

  3. Forward emails to the Suspicious Email Reporting Service (SERS):

  4. Forward text messages for free to 7726. If you forward a text to 7726, your provider can investigate the origin of the text and arrange to block or ban the sender if it’s found to be malicious.

Other types of common attacks on retailers

Retail websites are incredibly vulnerable and are often brought down by criminals, leading to significant disruption, loss of sales, customer upset, reputational damage to mention just a few of the detrimental effects.

A distributed denial-of-service attack (DDoS) is an attempt to make an internet-based service, such as a website, unavailable by overwhelming it with data traffic. This is often through sending a flood of simultaneous requests in an attempt to crash the server as it struggles to respond to more requests that it can handle. You can read more about DDoS guidance offered by the National Cyber Security Centre (NCSC).

Cyber best practice measures to check out

Research by cloud-based security company Indusface says that only 22% of retailers train their employees in cyber security. The data was collected from 2,200 respondents in 18 different industries and retail was in the bottom five for adequate training.

Employees are a business’ first line of defence and the WCRC offers bespoke cyber awareness training which is delivered to match the knowledge level of staff members taking part. We use plain language and provide real-world examples to ensure the session is provided in the relevant context. The aim is to empower teams to understand how cybercrime happens and to gain confidence in flagging any activity that appears untoward. Get in touch for more information about cyber awareness training for your business.

Here are some cyber measures to incorporate into everyday business activities to help keep your organisation safer and prepared - some of the measures reduce vulnerability to an attack, while others lessen the impact.

1. Use strong and individual passwords for each login - passwords are the first level of protection when it comes to securing online accounts or customer data. Complex passwords can often be difficult to remember, which often leads to people choosing weaker passwords or repeating them across multiple accounts. The National Cyber Security Centre (NCSC) - encourages the use of three random words, such as SunshineHeadphonesMagazine to help protect against common issues like brute force attacks. This is where a hacker uses software that tries many passwords with the hope of guessing it correctly.

You can also increase the complexity by using Welsh language, symbols, capital letters and numbers for added security. Using a password manager will securely store your passwords, so you don’t need to remember them all.

2. Double up your cyber protection – two-factor authentication (2FA) or multi-factor authentication (MFA) is designed to help prevent opportunists accessing your accounts even if they obtain your passwords. It ensures that any new device trying to log in or make account changes needs a second layer of security before access is given. Some common methods of 2FA include a single-use code being sent via SMS, email, phone, or smartphone application. Below are instructions on how to enable 2FA for the most common email systems and popular social media channels.

3. Regularly backup your data and isolate it – we’re guessing that businesses wouldn’t be able to stay operational for very long if access to critical data such as customer details, orders or payment details, was blocked. Keep files and data safe with digital backups and a password or encryption and keep them isolated from their associated network. By doing this, you're ensuring your business can still function following the impact of flood, fire, physical damage, or theft. Furthermore, if you have backups of your data that you can quickly recover and avoid potential blackmail by ransomware attacks.

4. Update your software - every piece of software your business uses, whether this be for payment transactions or a stock management system, offers the potential for unauthorised access and exploitation. Good cyber security practice means keeping computers, devices, applications, and software patched and up to date, and where you can, add the use of two-factor authentication with strong passwords.

Regularly patching and installing software updates helps protect devices, as the updates will expose new flaws and vulnerabilities, which cybercriminals can use to wreak havoc. Software and app updates are designed to fix these weaknesses and installing them as soon as possible will keep your devices secure.

When setting up new devices you should also remove any unnecessary pre-installed software, while ensuring that they have firewall protection enabled and are running up-to-date anti-virus software.

The WCRC offers free core membership to help level the playing field for smaller businesses in Wales wishing to improve their cyber safety through simple yet effective ways. It takes just a matter of moments to sign up and receive regular guidance, cyber threat updates, resources, toolkits and more.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page