Skip to main content

Can your customer strategy stand up to cyberattack?

Pexels cottonbro 5483248

Recent cyberattacks on Marks and Spencer, Co-op, Harrods, adidas and – this week – Cartier and The North Face, have brought the issue of cybersecurity planning into sharp focus. While the threat of cyberattacks is nothing new, the scale of impact on household retailers has sent shock waves across the industry. If their defences aren’t up to the job and customer relationships affected, then what hope is there for retailers with less resources and smaller budgets?

With the confirmed cause and longevity of disruption still largely unknown, there is much the industry can learn and put in place to minimise the consequences of such attacks. While prevention is always the ultimate goal, retailers must focus on how to manage and maintain customer relationships and reputations should the worst happen.

Keep customers on your side

Retailers can learn from previous crises – contaminated food providing a good playbook. Research evidence suggests that a crisis can help as well as undermine a company's reputation depending upon how it is handled. Being transparent from a very early stage gives a company greater opportunity to set the narrative, rather than having to later admit – often following media pressure – that the problem is actually worse than previously disclosed. In the current wave of cyberattacks, customer comments indicate loyalty and sympathy to Marks and Spencer, regarding it as a victim rather than a villain. Comments about Co-op are more ambiguous, with a suggestion that it has not been upfront about disclosing the extent of personal data loss.

Build resilience into operations

Retailers currently under attack have struggled through, but the interconnectedness of their IT systems can result in disproportionate problems arising from small details. For example, it is reported that Marks and Spencer was unable to locally print labels for food which could have overcome some supply chain problems. Also, in the wake of the Covid pandemic, many retailers decided to no longer accept cash, but retaining a cash handling ability can provide more resilience when systems experience downtime.

Practice a ‘safe mode’ of operating

IT applications often incorporate a ‘safe mode’ which provides limited functionality with minimised risks. Resilient companies should commit training time to operating sub-components of their systems in a more basic safe mode so they can be brought into use very quickly if needed. An analogy is having a backup electricity generator which is regularly tested to ensure that it is still fit for use in emergencies.

Don't request unnecessary personal data

There is emerging evidence that some groups of consumers – especially older ones – are becoming more reluctant to share personal data online. Reports of hacking will not alleviate these fears, even for trusted brands. Although cases of attackers getting into customers’ accounts to take control are very rare, disclosure of personal details could provide sufficient profile information about a customer to allow false accounts to be set up in their name. Companies rely on personal data to give them a competitive advantage, but they should not ask for unnecessary details. The Co-op, for example, uses members date of birth details as a sign-in method, however such basic information may be useful if sold on to help create a false profile or identity.

Balance ease of access with security

An IT manager would typically prefer an IT system which is so secure that only a small number of people have access to it, and performs limited and straightforward functional tasks. A customer manager would typically like a system which is easy to access and provides complex linkages between different systems to allow generation of customer insights, and to extend customers’ relationships with the business. Thankfully, the days of sales and IT working in two completely separate domains are retreating, with better discussion of trade-offs within integrated and embedded teams.

Assess cost-effectiveness of IT security measures

It is easy to suggest that more should be spent on IT security, and there are many professional consultancies who are eager to sell such systems to companies. But the benefits of increased cyber-security must be balanced against its costs – both the direct costs of the processes themselves, and indirect costs of making goods and services less accessible. For decades, a mantra of retailing has been to reduce the barriers to purchase, so additional barriers may come at a cost of lost sales. Also, retailers have typically been driven by a growth mindset, and their share price has reflected sales success. The sharp fall in Marks and Spencer’s share price following its cyberattack is a reminder that resilience is also factored into share values.

Is an occasional cyberattack a price worth paying?

Complete security is a rare state, and retailers necessarily take managed risks, for example with issues of fire, health and theft. A trade-off must be made to balance the costs and benefits of increased cybersecurity. For example, online retailers may opt to reduce the incidence of two factor authentication with credit card companies for regular customers. This will improve customer experience by reducing one barrier to purchase, but increases the risk of fraud. In a competitive market, ease of use may be an advantage. Even a full closedown of IT systems may be worth accepting if the chances of it happening are very low and the costs of mitigation are high. A problem is that it can be difficult to predict future frequency and severity of cyberattacks.

No one is immune

Media headlines tend to highlight big companies that have been targeted, especially when the consequences are widespread and in public view. But we shouldn't forget that much smaller businesses can suffer attacks too, and for a poorly funded business which has put the majority of its sales into just one platform, the consequences can be proportionately more devastating than for a multinational company. Resilience needs to be built into planning for businesses of all sizes and sectors.

Published 6 June 2025
Topics:
Leading insights

You might also like

When will UK petrol prices go down, and why are they so high?

10 June 2022
Fuel prices in the UK are hitting over £2 a litre in some places. Professor Adrian Palmer looks at why this has happened, and what needs to happen for them to decrease again.
Leading insights

The UK productivity puzzle: is the answer in consumers’ hands?

29 November 2022
Rising inflation has led employers to seek productivity improvements to offset cost-of-living pay increases. Yet productivity improvements have slowed down in the last decade. Could part of the explanation for the “productivity puzzle” lie in changing consumer behaviour? Professor Adrian Palmer explores.
Leading insights

International tourism will need more than an injection to recover

22 January 2021
With the vaccine rollout underway, is there hope for international tourism? Professor Adrian Palmer discusses whether the pandemic has brought about long-term structural change in the sector.
Leading insights