Skip to content
Search
AI Powered
Latest Stories

Retailers urged to review cyber risk controls amid rampant attacks

Cyber risk controls - NCSC’s 2025 Cyber Governance Code for Retailers
iStock image

As leading retailers become the latest victims of cyber-attacks, leading audit, tax and consulting firm RSM UK is advising businesses to review their cyber risk controls to ensure they are as robust as possible.

Earlier this month the government launched its National Cyber Security Centre (NCSC) Cyber Governance Code of Practice, providing organisations with clear guidance and best practice on managing cyber risks.


Jacqui Baker, partner and head of retail at RSM UK, said, “Retailers are already navigating a difficult trading environment shaped by fragile consumer confidence, increases in employment costs and shifting spending habits.

"The recent wave of cyber-attacks adds another critical layer of risk, one that can significantly damage consumer trust, disrupt operations, and harm brand reputation overnight.

"In a sector where customer loyalty is hard-won and competition is high, ensuring data security and operational continuity is paramount.

“Cyber risk continues to move at speed, particularly due to advancements in technology, meaning attacks are becoming increasingly sophisticated. Quite often, it’s a case of when, not if, one takes place, so it needs to be high up on retailers’ risk register.

"While it’s key that retailers implement necessary prevention measures, there’s no quick fix, and what might solve the issue today might not work tomorrow, so it’s crucial they remain agile.

"Retailers must now view cyber resilience not only as a technical requirement but as a core component of customer experience and brand protection.

Sheila Pancholi, technology risk partner, RSM UK added, “These recent attacks on retailers serve as a warning to all businesses to continuously assess and tighten up their cyber security measures.

"Organisations are accountable for effective governance, cyber controls, resilience, and importantly robust plans to respond effectively to cyber incidents.

"The first line of defence against cyberattacks is often employees, so it’s important to also ensure staff are regularly trained and educated on cyber risks and how to spot attempts to access systems via increasingly sophisticated phishing emails (e.g. ClickFix Phish), or links to bogus websites.

“We welcome the government’s recent Code of Practice which supports businesses in governing their cyber risks to enhance operational resilience.

"With increasing geo-political tensions and highly sophisticated cyber criminals now operating on an industrial scale, motivated by financial gain and destabilisation, the threat landscape will only increase, with broader targeting across industries. This raises a question of whether the current voluntary code goes far enough?

“The Cyber Governance Code of Practice states that half (50 per cent) of businesses and two thirds (66 per cent) of high-income charities experienced some form of cyber security breach or attack in the last 12 months, with the prevalence of attacks being even higher amongst medium businesses (70 per cent) and large businesses (74 per cent).

"This serves as a stark reminder that there’s more to be done to improve cyber resilience and keep pace with new emerging threats.”