top of page

5 ways SMEs can protect their retail and online stores from Cyber Attacks

1 in 8 retailers faced a cyber-attack in the last 12 months according to data published in a report by financial auditor Grant Thornton’s, with just 46% of retail businesses having a cyber-strategy in place - which is below the global average (52%) for all businesses.

Cybercriminals take an interest in the retail sector due to the level of customer data that is collected and stored online, particularly through online and eCommerce shopping platforms.

In 2018, fashion retailer SHEIN suffered a data breach that affected over 6.4 million customers. Cybercriminals were able to gain access to the company’s servers and steal the personal information of SHEIN’s customers. The breach occurred in June, but the company only discovered the incident in late August.

No retail business is too big or too small to consider its cyber security strategy, whether you have 50 customers or 100,000, the data you retain on your customers and staff is of huge value to a cyber-criminal.

Why should retail and eCommerce businesses be aware of cyber attacks?

According to a recent survey conducted by Sophos, 44% of retail organisations in the last year were hit by ransomware and 32% of those paid up.

Further research by PwC on their client base revealed that cyber-attacks on their retail clients had increased by over 30%, showing that the retail and eCommerce industry is of interest to cybercriminals.

Within only a few months, the pandemic accelerated the shift of the public shopping online via eCommerce stores by five years, meaning there is now more public and private data stored in the cloud than ever before.

In the two years from March 2019 to March 2021, there was an 8% increase in the opening of retail businesses. And, with 98% of UK businesses now operational online in one way or another, benefiting hugely from the use of websites, social media, staff email addresses, online banking, and the ability for customers to shop online, it is no surprise that cybercrime has followed this trend upwards.

What type of attacks do retail and eCommerce businesses face?

Attacks on web applications such as a company’s online payment system are the most common type of attack for retail companies to suffer according to a recent Verizon Data Breach Investigations Report. Cyber attackers attempt to breach a payment system and install malicious code that can steal the credit card details of a retail store. This stolen data is either held for ransom to businesses or sold to other cybercriminals for profit.

Another popular type of cyber-attack on the retail industry and food and beverage industry is point-of-sale (POS) cyber-attacks, these are among the most common methods of attack. These attacks take place when malicious malware is installed on systems used to conduct financial transactions. The malware is designed to steal customer payment data, particularly credit card data from checkout systems.

Retail and eCommerce businesses are also facing cyber-attacks via their websites. These attacks often see websites go offline which will result in a loss of sales and frustrated customers - you wouldn’t want to see your website go down during Black Friday or the festive season!

Another way in which they will attack a website is through a distributed denial-of-service attack, this attack is an attempt to overwhelm an eCommerce platform with fake online orders and spam customer service inquiries.

With Black Friday, Cyber Monday and the busy Christmas period now taking hold, we want to educate you on the threats you can face with new devices, eCommerce stores, payment gateways, impersonation fraud and how to keep your customer data safe.

Be aware that ransomware can affect a business regardless of size and sector, but those businesses that have staff on annual leave over Christmas need to make sure they understand what ransomware is and why it’s important you stay secure.

Five top tips to protect your online store from cyber attacks

Business owners should make sure they understand the risks associated with running a retail or eCommerce store. To help, we’ve created five top tips for you to take to help protect your business from cyber-attacks.

1. Double up with Two-factor Authentication

Two-factor authentication (also known as 2fa, two-step verification or multi-factor authentication) is designed to help stop cybercriminals from accessing your accounts even if they obtain your passwords.

Two-factor authentication (2fa) ensures that any new device trying to log in or make account changes needs a second layer of security before access is given. 2FA includes single-use codes being sent via SMS, email, phone, or smartphone application.

Turn on 2FA for your email system and social media accounts via the links below.

2. Store your passwords securely and make sure they are strong

Your first level of protection when securing your online accounts or customer data is a strong password. Whilst complex passwords can be difficult to remember, (which often leads to people choosing weaker passwords or repeating them) the National Cyber Security Centre (NCSC) encourages businesses to use three random words; such as HouseForestFlower to help protect against common issues like brute force attacks. This is where an attacker tries many passwords with the hope of guessing them correctly.

The aim of a strong password is not to make it so you won’t remember it, but so cybercriminals struggle to crack it. Another tip is to include symbols, capital letters and numbers to make it even more secure.

Default passwords must always be changed and you should change any passwords if you witness any suspicious activity taking place on your account(s).

To keep track of your passwords, use a Password Manager. This can be used across all devices and can store multiple passwords securely.

3. Regularly backup your data

You rely on business-critical data, such as customer details, quotes, orders, payment details or coursework/examination files (for education establishments). How long you would be able to operate without them?

All businesses, regardless of size and type, should take regular backups of their important data, and make sure that these backups are tested so you are confident they can be restored.

Ransomware (and other malware) can often move to attached storage automatically, which means any such backup could also be infected, leaving you with no backup to recover from. To help keep your files and data safe, you should secure digital backups with a password or encryption and keep them isolated from your network.

By doing this, you're ensuring your business can still function following the impact of flood, fire, physical damage, or theft. Furthermore, if you have backups of your data that you can quickly recover, you can't be blackmailed by ransomware attacks.

4. Remember your updates

Every piece of software your business uses whether this is payment transaction software or a digital stock management system offers the potential for unauthorised access and exploitation.

Keep computers, devices, applications, and software patched and up to date, and where you can, add the use of two-factor authentication with strong passwords.

Regularly patching and installing software updates helps to protect your devices as the updates will expose new flaws and vulnerabilities. Cybercriminals use these flaws and vulnerabilities to attack your devices and steal your identity. Software and app updates are designed to fix these weaknesses and installing them as soon as possible will keep your devices secure.

When setting up new devices you should also remove any unnecessary pre-installed software, while ensuring that they have firewall protection enabled and are running up-to-date anti-virus software.

5. Pay attention to the details

Human error is one of the main contributing factors to the majority of cyber security breaches, a recent IBM report showed that 95% of cyber security breaches are primarily caused by human error.

Whilst people can often be the weakest link in the chain, if educated they can become your strongest asset in protecting your business. Cybercriminals will try to lure in your employees by clicking on an infected link in an email or opening the infected email itself (a phishing email).

The key to security awareness training is to equip all your employees with a level of awareness to combat these threats. Employees need to be taught what clues to look for that indicate threats, and how to respond when they see them.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page