Employees: the frontline in your firewall

We know that the cyber groups responsible for the recent retail hacks used sophisticated social engineering techniques, such as impersonating employees to deceive IT help desks into resetting passwords and providing information, thereby gaining unauthorised access to internal systems.

Employees are increasingly a target, and retailers employ some of the largest, most diverse workforces, making them an even bigger risk with countless touchpoints for breaches. In these organisations, a cybersecurity-first culture is vital to combatting threats. Cybersecurity-first culture includes employees that are aware of these types of attacks and understand how to report them if they are contacted.

In order to establish a cybersecurity-first culture, employees must be empowered to recognise and respond to threats, not just avoid them. This can be done through simulation training and threat assessments – showcasing real life examples of threats and brainstorming possible solutions to control and prevent further and future damage.

This allows security teams to focus on strategy instead of constant firefighting, while leadership support – through budget, tools, and tone – reinforces its importance at every level.

Real time visibility of the risks 

In addition to support workers, vendors also pose a significant attack path for bad actors. According to data from Elastic Path, 42% of retailers admit that legacy technology could be leaving them exposed to cyber risks. And with the accelerating pace of innovation, modern cyber threats are not only more complex, but often enter through unexpected avenues, like third-party vendors. Research from Vanta shows 46% of organisations say that a vendor of theirs has experienced a data breach since they started working together.

The M&S breach is a case in point, with it being reported that attackers exploited a vulnerability in a contractor’s systems, not the retailer’s own. This underscores that visibility must extend beyond your perimeter to encompass the entire digital supply chain, in real time.

Threats don’t wait for your quarterly review or annual audit. If you’re only checking your controls or vendor status once a year, you’re already behind. This means real-time visibility is now foundational to cyber defence. We need to know when something changes the moment it happens. This can be done through continuous monitoring, both for the technical controls and the relationships that introduce risk into your environment.

We also need to rethink the way we resource and prioritise that visibility. Manual processes don’t scale with the complexity of modern infrastructure. Automation and tooling can help surface the right signals from the noise – whether it’s misconfigurations, access drift, or suspicious vendor behavior.

Taking stock: a workflow for protection

The best case scenario is that security measures are embedded into all digital architecture, utilising a few security ‘must haves’ such as secure coding, continuous monitoring, and regular testing and improvement. Retailers who want to get proactive and about breaches following the events of the last few weeks can follow this action plan to get started:

First, awareness – have your security leadership send a message out to managers of help desks and support teams to make sure they are aware of the recent attacks on retailers, and are in a position to inform teams of what to look out for.

Then, investigate – pinpoint the attack path used on other retailers to make sure you have a full understanding of the risk to your organisation.

After that, assess – conduct a threat assessment to identify what could go wrong, or how this attack path could be used in your organisation.

The final step is to identify – figure out the highest risk gaps in your organisation, and the remediation steps to address each one.

The last line of defence

Strong cybersecurity doesn’t come from quick fixes – it takes time, leadership buy-in, and a shift in mindset across the organisation. My advice to security teams is simple: speak in outcomes. Frame cyber risk as business risk, because that’s what it is. The retailers that have fallen victim to recent attacks are facing huge financial losses, which makes this not just an IT issue – it’s a boardroom issue.

Customers are paying attention. They want to trust the brands they buy from, and that trust is built on transparency and preparation. The recent retail attacks aren’t a reason to panic – they’re a reason to reset, evaluate current state risks, and fully understand the potential impacts of what is happening elsewhere. This is the moment to invest in your infrastructure, empower your teams, and embed security into your operations. The organisations that do this now won’t just be safer – they’ll be more competitive, more resilient, and better positioned for whatever comes next.

Jadee Hanson is the Chief Information Security Officer at Vanta