Four in five of the UK’s top 50 retailers are exposed to at least one form of critical cyber vulnerability, according to new research from cyber risk specialists KYND.
The analysis, which focused on the top 50 UK retailers by revenue, also found more than a third (38%) of the retailers analysed face critical risks simultaneously across all five major threat categories: ransomware risk exposure, email security weaknesses, outdated software, vulnerable services and certificate issues.
KYND defines critical or ‘red’ risks as vulnerabilities which are very likely to lead to business interruption if not addressed. Of the 50 organisations analysed, the majority had at least one critical red risk identified in each category. KYND found:
- 80% had email security vulnerabilities
- 72% had certificate issues (digital certificates are crucial for maintaining secure online communication and protecting sensitive data, so misconfigurations, expired or revoked certificates can compromise security)
- 70% had vulnerable services
- 70% had outdated software
- 58% were exposed to ransomware risk.
It comes after a string of high-profile cyber incidents impacting retail giants including M&S, the Co-op, and Harrods. M&S has estimated that the hack, which began in April, will cost the business at least £300m in lost profits.
Andy Thomas, CEO of KYND, noted that the findings highlight the growing risks posed by poor cyber hygiene as the sector relies more heavily on digital infrastructure.
He said: “Retailers hold enormous volumes of sensitive data and operate complex supply chains, so even a seemingly minor oversight – like an expired certificate or unpatched software – can quickly become an open door to attackers.
“These results are a wake-up call for the sector to focus on the fundamentals: visibility, prioritisation and proactive monitoring.”
Email security proved to be the biggest liability by volume, accounting for 9,239 critical issues identified across the 50 companies analysed, which could open the door for phishing or spoofing attacks. Other attack vectors presented hundreds or thousands of individual ‘red’ risks, including 1,180 related to vulnerable services and 1,073 certificate issues.
With more than a third of retailers facing overlapping vulnerabilities which compound risk and multiply their exposure, KYND is calling on retail businesses to improve systemic weaknesses.
Thomas added: “Today, cyber risk is a board-level concern with serious financial, operational, and reputational implications. For retailers operating in an increasingly digital environment, managing cyber risk as a core business risk is essential to maintaining resilience and protecting long-term value.”
NAM Implications:
- Unfortunately, despite the highly publicised cases of M&S, Co-op and Morrisons…
- …and the yet-to-be-revealed consequences, especially in terms of consumer trust in the protection of personal data…
- …some retailers will wait to find out the hard way.
- The issue for retail is that for leading-edge retailers…
- …proven security re cyber attacks could be seen as a competitive edge Vs rivals.
- Thereby raising the security game for all…
