Retail under attack: The growing movement towards operational resilience
Multiple cyber-attacks on the retail sector have gathered media attention over the first half of 2025, including breaches on Co-op, Harrods, Adidas, The North Face, and Cartier. Notably, a long-term disruption for UK brand Marks and Spencer, whose online sales are still paused seven weeks after the initial attack, was caused by phishing on a third-party supplier.
BCI research[1] has noted a surge in cyber threats with 74.5% of organizations reporting an increase in cyber-attacks in 2024. Phishing emerged as the most commonly used attack method, and in response, a growing number of organizations implemented enhanced controls to better manage and mitigate cyber risks.
However, this year practitioners are implementing practices that move beyond siloed cyber security and risk management programmes into an integrated approach that aligns operational resilience with related functions.
Moving towards operational resilience
The newly released Operational Resilience Report 2025 has found organizations are taking a more integrated approach to resilience.
Nearly 70% of survey respondents have established internal working structures to improve coordination between departments. This shift in strategy is led by new regulatory frameworks including the EU Digital Operational Resilience Act (DORA) and the UK’s FCA/PRA/Bank of England requirements. 64.0% of respondents cited regulatory requirements as their top reason for implementing operational resilience programmes, whilst over a fourth stated preparation for incoming regulations as their key motivator. In addition, organizations not currently subject to regulations are also showing growth, indicating widespread application of best practice and wider recognition of operational resilience as an organizational priority.
A respondent highlighted the regulation-driven move towards integrated function:
“Silos were a major issue in the past, but we’ve actively worked on breaking them down. Regulators expect us to demonstrate how resilience integrates across departments, from cybersecurity to IT operations.”
Operational resilience manager, financial services, South Africa
Another key element of the recent regulatory changes stresses the importance of robust third-party risk management, a challenge that Marks & Spencer is currently addressing. Practitioners have not found this an easy task with nearly half (45.1%) of organizations facing difficulties with enforcing resilience standards on external vendors.
What practitioners can do
To strengthen resilience programmes, practitioners can adopt best-practice strategies such as performing impact tolerance tests, mandated by financial regulations, to identify vulnerabilities and address the outcomes. They can also collaborate with third parties to identify gaps and risks by running joint training scenarios, such as simulated phishing attacks targeting their cybersecurity. These steps go beyond restoring basic functions; they help uncover weak points that can guide strategic investment and promote organization-wide systemic resilience.
Despite significant technological advancements in recent years, the human element remains a vital component of any cyber resilience strategy. Cyber-attacks targeting the retail sector, such as the prolonged outage experienced by M&S, serve as timely reminders of the importance of systemic resilience that reinforces the entire organization, not just its digital infrastructure.
Members can download the Operational Resilience Report 2025, sponsored by Riskonnect, for more information on systemic resilience and insights into the sector’s shift towards operational resilience.
[1] https://www.thebci.org/resource/the-bci-update-series--cyber-resilience-report-2024.html
More on
About the author
Rebecca Mathews
The BCI
