The latest research from KYND suggests that retailers are vulnerable to cyber attacks and outages;
Four in five of the UK’s top 50 retailers are exposed to at least one form of critical cyber vulnerability, according to new research from cyber risk specialists KYND.
The analysis, which focused on the top 50 UK retailers by revenue, also found more than a third (38%) of the retailers analysed face critical risks simultaneously across all five major threat categories: ransomware risk exposure, email security weaknesses, outdated software, vulnerable services and certificate issues.
KYND defines critical or ‘red’ risks as vulnerabilities which are very likely to lead to business interruption if not addressed. Of the 50 organisations analysed, the majority had at least one critical red risk identified in each category. KYND found:
- 80% had email security vulnerabilities
- 72% had certificate issues (digital certificates are crucial for maintaining secure online communication and protecting sensitive data, so misconfigurations, expired or revoked certificates can compromise security)
- 70% had vulnerable services
- 70% had outdated software
- 58% were exposed to ransomware risk.
It comes after a string of high-profile cyber incidents impacting retail giants including M&S, the Co-op and Harrods. M&S has estimated that the hack, which began in April, will cost the business at least £300m in lost profits.
Andy Thomas, CEO of KYND, said the findings highlight the growing risks posed by poor cyber hygiene as the sector relies more heavily on digital infrastructure.
He said: “Retailers hold enormous volumes of sensitive data and operate complex supply chains, so even a seemingly minor oversight — like an expired certificate or unpatched software — can quickly become an open door to attackers.
“These results are a wake-up call for the sector to focus on the fundamentals: visibility, prioritisation and proactive monitoring.”
Email security proved to be the biggest liability by volume, accounting for 9,239 critical issues identified across the 50 companies analysed – which could open the door for phishing or spoofing attacks. Other attack vectors presented hundreds or thousands of individual ‘red’ risks, including 1,180 related to vulnerable services and 1,073 certificate issues.
With more than a third of retailers facing overlapping vulnerabilities which compound risk and multiply their exposure, KYND is calling on retail businesses to improve systemic weaknesses.
In response to the findings, KYND is urging retail businesses to:
- Gain full visibility over their digital infrastructure to understand the breadth of risk exposure. Most of the identified issues were visible externally, making them easy targets for threat actors.
- Prioritise remediation of actively exploited and high-impact vulnerabilities, such as those listed in CISA’s Known Exploited Vulnerabilities (KEV) catalogue.
- Address foundational weaknesses, including tightening email security protocols, software patching and certificate renewal.
- Move from intermittent, point-in-time cyber risk assessments to continuous attack surface monitoring, as new vulnerabilities are emerging all the time.
- Continuously evaluate cyber risk across third-party suppliers and partners and work with them to help remediate critical issues
Andy Thomas added: “Today, cyber risk is a board-level concern with serious financial, operational, and reputational implications. For retailers operating in an increasingly digital environment, managing cyber risk as a core business risk is essential to maintaining resilience and protecting long-term value.”
For more information, please visit: https://www.kynd.io/
Be the first to comment