Modern retailers are data driven, and valuable PII and payment data makes any organisation selling online an attractive and obvious target for attackers to either steal data or deny access to it (seeking a ransom).

The retail industry is actively targeted; a recent whitepaper by Sophos – The State of Ransomware in Retail 2022 – reported a dramatic increase in the level of attacks against the sector: “77% of retail organisations were hit by ransomware in 2021, up from 44% in 2020.”

It is now no longer a matter of when or if the attack happens, but how much damage it causes and whether the organisation can survive.

Organisations correctly spend considerable resources on increasing security to reduce the likelihood and impact of an attack by implementing protective and reactive controls, like patching, configuration management and SOCs (Security Operations Centres), which will have a significant impact in reducing the level of risk.

However, it will never eliminate the risk entirely.


Press and popular opinion suggest that cyber security breaches can result in huge, and sometimes irrecoverable, reputational damage. Therefore, without proper response and recovery plans, a company’s chance of survival is lower.

Organisations still fear disclosing such breaches, as being open and honest exposes them to this reputational impact. Yet the stark reality is that consumers and the media are increasingly likely to find out about a breach. The attackers themselves may even disclose it for greater impact. 

Besides potentially being illegal, denying a breach, trying to minimise the impact, or communicating in complex and evasive language is doomed to failure. When organisations retract or update statements, or when other sources provide contradictory information, it reduces trust in an already damaged brand. 

Customers need to know – and, most importantly, trust – that you understand the impact on them and are working hard to resolve it.

When shipping company Maersk fell victim to the NotPetya attack in 2017, its clear and straightforward communication, swift and decisive action, and efforts to keep serving customers not only saved its business but also resulted in the company becoming a beacon for corporate responsibility.

So what do you do? A sound, robust response will enable organisations to survive and could yield positive outcomes for well-prepared retailers:

  • Plan – What would your organisation do in the first hour, day, week, and month of an attack and the recovery? Not just the technical requirements, but how do you limit harm? How do you communicate with staff, third parties, the authorities, and, most importantly, the customers and those directly impacted? Who will lead this communication effort?

  • Rehearse – Releasing negative news is very difficult and exceptionally uncomfortable, but it is a learnt skill. The fear of repercussions and human nature tends to make us minimise the event and respond aggressively to challenge. 

  • Communicate – However good your media and executive team are, they need to deliver a press release that is clear, honest, and helpful. Your spokespeople need to practise looking into the lens of a camera and communicating clearly and showing empathy. It is better to have the awkward experience of getting it wrong in the rehearsal than during a real incident. 

    Customer service teams need to be taught and rehearsed in how to deal with scared and angry customers. If someone is scared that their credit card details have been stolen from your system, they are vulnerable and need help and support – it is not the time to put them on hold or communicate badly. How do you tell them that you’re very sorry, but you can’t deliver the product or take the order whilst retaining their loyalty at the same time? The skill is honest communication – another learnt skill that benefits from practice. 

Planning for a serious incident and the ensuing recovery isn’t cheap. It will likely require specialist external support and time from the executive, technical, operational and customer support teams. It needs to be updated and rehearsed regularly.

In the heat of an incident, this can all make the difference between an organisation that is seen as the victim of crime, who took it seriously, went the extra mile to protect customers and will recover, versus one that has poor security, tried to hide it, and allowed customers to suffer.