Following the recent high-profile cyber attacks in the UK retail sector, new research from Retail Economics and Barclays UK Corporate Banking reveals just one in four retailers (25%) feel “highly prepared” to detect, respond to, and recover from a similar incident. This comes as cybersecurity tops the risk agenda for almost three in five retail leaders, ahead of financial and operational concerns.
With cyber threats to retailers growing more sophisticated, the study suggests that moderate preparedness is no longer enough. Resilience requires proactive investment, from infrastructure upgrades and supply chain security to regular stress testing and board-level ownership of response protocols.
Worryingly, one in 10 (11% of) retailers admit they remain unprepared for attacks, exposing serious vulnerabilities at a time when digital infrastructure is critical to operations, trust and continuity.
The research, based on interviews with 117 senior retail executives, shows that businesses are beginning to respond with intent, with nearly three in five retail leaders (58%) citing cyber security as a top-three threat for the year ahead, reflecting growing concern over ransomware, data breaches and system outages.
High-profile cyber attacks – such as recent incidents involving M&S – have forced cybersecurity into the boardroom, seeing investment in cyber resilience on the rise. Nearly two-thirds (64%) of retailers have increased their focus on cybersecurity over the past 12 months, from upgrading systems and stress-testing response plans to embedding security across supply chains.
This comes at a time when risks are becoming more complex and interconnected. The number of principal risks disclosed by the UK’s top 30 listed retailers has risen to 278, with 40 new or escalating risks in the past year alone. Of these, cyber-related risks account for a high quarter (25%) of this increase.
While cybersecurity is the standout concern for 2025/26, financial pressure remains a close top concern. Retailers are facing a £6.5bn rise in operating costs in 2025, driven by increases to the National Living Wage, Employer National Insurance contributions, business rates, utilities and property costs. Over the past decade, average pre-tax profit margins have almost halved, from 10.4% in 2014 to just 5.7% in 2024. Despite a decade of inflation, this translates into a fall of over £7.3bn in pre-tax profits across the sector, from £32.7bn to £25.4bn.
It means cost control has become a sharper strategic focus – yet the study found that many retailers are balancing defensive measures with forward-looking investment in technology, data, and supply chain resilience.
With risk and disruption now ever-present, resilience has become a key differentiator. The proportion of retailers that see themselves as ‘ahead of the game’ in managing risk compared to competitors has edged up slightly, from 26% to 28%. However, those falling behind have increased more sharply – from 21% to 25%. Overall, well over half (58%) of retail leaders believe the performance gap between the strongest and weakest businesses is widening.
Richard Lim, chief executive of Retail Economics, commented: “Cyber threats are no longer just an IT issue. They cut to the heart of customer trust, brand reputation and operational continuity. It’s concerning that so many retailers still lack the confidence and capability to respond effectively. Resilience today isn’t just about protection. It’s about being ready to act, recover quickly and adapt at speed.
“The most forward-thinking retailers are using cyber risk as a catalyst for broader transformation. They are accelerating investment in digital infrastructure, strengthening internal agility and embedding resilience across their operations. These are the bold decisions, made under pressure, that will shape long-term success.”
Karen Johnson, Head of Retail and Wholesale of Barclays UK Corporate Banking, added: “As operational and financial risks continue to escalate, it’s clear that embracing technological advancements and enhancing cybersecurity measures will be key to building resilience for UK retailers.”
NAM Implications:
- Key issue for retailers:
- Keep quiet re level of defence against cyber attacks and hope they will focus elsewhere…
- …or ‘tell the world’ and risk cyber criminals wanting to prove you wrong.
- Whilst a retailer’s main concern will be in maintaining on-shelf availability…
- …shoppers may be more concerned with breaches in terms of access and abuse of their personal data.
- Whilst speed of reaction and openness may be the default strategy…
- …prevention may be the only real answer.
- In which case, the inevitable expense needs to be factored in now.
- And the decision-making elevated to board-level accountability, fast.
- Anything less is playing at it, until the next breach…
