UK retailers overconfident in cyber security as risks escalate
New research has identified a significant disconnect between how confident UK retailers feel about their cyber security and their actual ability to fend off attacks, with one in five admitting their current defences would not prevent a cyber incident.
Confidence gap
The data, based on responses from 350 senior IT professionals across the retail sector, highlights that despite high levels of reported confidence, many organisations acknowledge vulnerabilities in their security posture. Confidence in areas such as risk management, identity and access management, and data protection reached as high as 84%. Even in supply chain management - cited as the weakest area - confidence remained at 76%. However, this comes amid increasing reports of incidents linked to supply chain attacks over the past year.
Operational impact
The consequences of this gap between confidence and capability are already manifesting. The most frequently reported operational disruption following a cyber-attack is the inability to restock goods. A third of respondents also reported a negative impact on customer satisfaction, particularly regarding issues with dispatch, delivery, and returns. About a quarter identified increased exposure to problems with insurance, reputation, and legal risks as further consequences.
The recovery process following an attack remains protracted for many retailers. Only 13% said they could fully restore operations within a week, while just 29% managed to do so within three weeks. In contrast, more than a third of those surveyed indicated it could take from one to six months to return to normal activity levels.
Investment priorities
The research also explored where retail IT leaders are most likely to direct future spending. Cyber security was the leading priority for 32% of respondents, ahead of outlays on cloud infrastructure (26%), connectivity (23%), and AI and automation (20%). The interest in ongoing investment in security suggests that, despite stated confidence, most retail organisations recognise existing vulnerabilities.
Funding challenges
The report indicates that a gap between stated confidence and empirical needs may be complicating efforts to secure more resources for cyber defence. Of those expressing strong confidence, nearly a third cited competing business priorities as the biggest obstacle to obtaining new funding for cyber security projects.
"Retailers feel the impact of cyber-attacks acutely because recovery is often slow. Only 13% of retailers fully restore operations within the first week, and just 29% within three weeks. More than a third take between one and six months to return to normal. You would expect slow recovery times to shake confidence and prompt a rethink of cyber security strategies - but our data shows that isn't happening. This disconnect highlights a deeper issue: when cyber security reporting doesn't reflect reality, businesses remain exposed," said Vince DeLuca, CEO, Six Degrees.
Sector at risk
The findings come as UK retailers face a landscape of escalating threats, with respondents indicating perceived increases in risk compared to the previous year. Many retailers point to a rise in supply chain-based incidents and admit that, despite high confidence, defensive capabilities may not be adequate to keep pace with sophisticated attacks.
"The message to retailers is clear: cyber security confidence does not equal resilience. Confidence statements are easy to make, but do they withstand scrutiny against real-world threats? True resilience requires time, commitment, cultural alignment, and leadership from the top. And it's never static - resilience can erode quickly without regular checks, assessments, and benchmarking built into defence strategies. Threat actors have consistently targeted the UK retail sector throughout 2025. Retailers who act now to close the cyber confidence gap will take a decisive step toward preventing their organisation from becoming the next headline in 2026," said DeLuca.
