The UK Retailers sector is facing growing cybersecurity threats that are becoming more frequent and financially damaging. High-profile attacks on major supermarkets like M&S, Co-op, and Harrods have led to millions in lost revenue, compromised personal data, and long-term disruption to online services. As these incidents highlight the vulnerability of grocery and retail chains, industry experts are calling for a reassessment of how cybersecurity is managed internally.
Marks & Spencer, for instance, has already announced steps to improve its technology foundations, simplify infrastructure, and reduce operational IT costs to strengthen its cybersecurity framework. But beyond bolstering defences with updated tools and software, there is a broader question emerging: who within the organisation should be responsible for cybersecurity?
UK Retailers Digital Expansion Has Widened the Attack Surface
Over the past decade, UK grocery retailers have transitioned from relatively simple tech infrastructures to complex digital ecosystems. The rise of omnichannel retailing, advanced loyalty programs, and experiments in retail media have dramatically expanded their technological footprint. This evolution has increased their exposure to cyber threats, explains Tim Fletcher, a cybersecurity expert at KPMG.
“The more customer-facing technology a retailer has, the larger and more complex the attack surface becomes,” Fletcher says. Unfortunately, many retailers have not adapted their cybersecurity strategies to match this new reality. Cybersecurity remains narrowly confined to specialised IT teams, often led by a Chief Information Security Officer (CISO), without sufficient integration across the business.
Neil Hare-Brown, CEO of Storm Guidance, points out that this outdated approach creates dangerous blind spots. Many modern cyber threats originate from areas outside the purview of IT departments, making it critical for retailers to adopt a more holistic and collaborative model of risk management.
Cybersecurity Must Become a Company-Wide Responsibility
Security experts and government agencies agree: cybersecurity should no longer be treated as a siloed IT issue. According to Sarah Lyons, Deputy Director for Economy and Society at the UK’s National Cyber Security Centre, cyber risks today represent a business-critical challenge that demands attention from top leadership and every department.
Retailers are being urged to adopt a shared responsibility model in which cybersecurity becomes embedded across all levels of the organisation. This includes frontline teams, operational staff, and development units that are often responsible for day-to-day decisions that can introduce cyber risks.
For example, Tim Fletcher suggests integrating risk indicators into the technology development lifecycle. By embedding cybersecurity protocols directly into development workflows—and making them understandable and actionable business technology teams can make informed decisions and avoid costly vulnerabilities.
He even proposes gamification as a way to make cybersecurity protocols more engaging and transparent. “Teams need to understand the risks they’re accepting,” Fletcher says. “With the right tools and awareness, they can be a powerful line of defence.”
As cyber threats continue to escalate, UK retailers must evolve not just their defences but also their organisational mindset, making cybersecurity a strategic priority shared by all.
