What 2025 taught us about the importance of resilience in retail
When it rains, it rains.
This phrase has defined retail cybersecurity in 2025. What started as isolated incidents quickly escalated into prolonged and intense disruptions, revealing how interconnected and fragile modern retail operations are.
CTO and co-founder at Armis.
Over the course of the year, leading retailers around the world were affected. Global luxury brands like Gucci and Balenciaga have suffered data breaches; Victoria’s Secret was forced to temporarily suspend part of its digital operations. While Marks & Spencer, Co-Op and Harrods in the UK have all faced incidents, with disruption for M&S lasting 15 weeks.
Article continues below
Different triggers, same result: major disruptions and financial losses.
But when disruptions spread this quickly and last this long, they stop being individual attacks and start to raise a more uncomfortable question: Why was retail such a fertile ground for them in the first place?
Why disruptions spread so easily
While the number of retailers affected in 2025 may have seemed anomalous, it makes sense when viewed this way: retail is one of the most effective industries at causing maximum disruption at scale. The cyberattack on United Natural Foods, a key supplier to tens of thousands of grocery stores across North America, showed how a single compromise can have repercussions: emptying shelves, disrupting lives and triggering broader economic impact.
But it’s not just the lack of investment in security that surprised countless retailers last year, it’s also the scale of cyber exposure that retailers now face. The year’s most disruptive incidents were not caused by sophisticated zero-day exploits, but by attackers exploiting the complexity and lack of contextual understanding of how systems, assets, and users interact.
Retailers operate broad digital ecosystems that combine e-commerce platforms, cloud infrastructure, in-store operational technology, identity systems and third-party services. Each connection improves efficiency and scalability, but also introduces new exposures and risks. A weakness in one area, whether it’s a vendor, a reliable integration, or an unmanaged asset, can quickly lead to widespread disruption.
Attackers are also increasingly adept at exploiting these conditions. Rather than targeting a single critical vulnerability, they chain together low-risk weaknesses, move laterally across environments or vendors, and leverage fragmented visibility across IT, cloud storage, and operational systems. The Adidas breach is a clear example: attackers gained access through a third-party vendor, stole customer data, and demonstrated how interconnected environments can magnify the impact.
And every incident that occurred last year was made possible by the realities of modern retail operations. New systems are deployed quickly, integrations are prioritized over security hygiene, and existing infrastructure often sits alongside modern cloud services.
This creates blind spots that attackers can exploit long before an incident becomes visible. Security teams must defend constantly changing environments, often without the visibility or intelligence to anticipate where risks are developing. Many are under-resourced and struggling with the growing threat of generative AI, while trying to embed a culture of collaborative risk management.
After a tumultuous year, one thing is clear; this was not a brief burst of activity or a single bad quarter. This was a sustained exposure model that spread across the entire retail ecosystem. And as long as this exposure remains fragmented and poorly understood, the disruptions will continue to outpace the responses.
Cyber exposure becomes the foundation of resilience
What the last year has made clear is that retail resilience can no longer be built by reacting more quickly to incidents after they have happened. With AI, as well as other emerging technologies, becoming more and more common, the problem will only get worse. The scale and persistence of disruption has shown that retailers need to rethink their perception of risk in the first place.
It starts by recognizing that many of the most damaging weaknesses lie not in a single system or vulnerability, but in the relationships between software assets, platforms, and partners that underpin modern retail operations. This is where managing cyber exposure becomes essential. Rather than treating risk as a series of isolated alerts or vulnerabilities to remediate, exposure management focuses on understanding how risk arises and accumulates across an organization’s entire digital footprint.
For retailers, this footprint is particularly complex: e-commerce platforms connect directly to inventory systems, in-store operational technology is linked to core networks, identity management systems span employees, and third-party vendors or contractors are integrated into daily operations. Without a clear understanding of how these elements interact, it becomes impossible to anticipate how a seemingly minor weakness can escalate into widespread disruption.
Cyber Exposure Management provides a strategic approach to identifying, assessing, prioritizing and reducing cyber risks across an organization’s entire digital footprint. It’s about developing a vivid, contextual understanding of existing assets, the role they play in retail operations, their critical importance during peak trading periods, and the other systems or partners they depend on – whether the assets are managed or unmanaged, IT or OT, cloud-based or on-premises. It is this context that distinguishes manageable risk from systemic failure.
As attackers constantly exploit vulnerabilities, exposure management allows organizations to assess risks in terms of actual impact – not just technical severity – helping retailers prioritize exposures most likely to impact operations, customer trust and revenue continuity.
This change is ultimately about resilience, not just security maturity. By basing risk decisions on how retail operations actually work, exposure-based approaches help teams anticipate where disruptions are most likely to appear, rather than responding to them once they have already taken hold. The result is more informed decision-making across IT, security and the broader business, with risk reduction aligned with operational continuity, customer experience and revenue protection.
Resilience starts before the next incident
There is little room for complacency. Retailers have learned the hard way that disruption doesn’t happen in isolation, but across complex, interconnected environments – and that once it begins, the impact can quickly escalate and extend well beyond the initial point of failure.
Last year was a wake-up call for the entire retail industry, not just those that made headlines. The challenge now is to ask harder questions about how environments are designed, how risks accumulate in systems, and whether companies truly understand where their most critical exposure points are.
Because after all, when it rains, it rains. And the cost of inaction could now very well mean the difference between profit and financial damage suffered.
We Ranked the Best Patch Management Software.
