Data from a Six Degrees Retail Whitepaper shows that while most UK retailers are highly confident about their security posture, one in five admit their current defences wouldn’t prevent a cyber-attack.
This disconnect has far-reaching impacts because the retail sector faces an increasing volume of attacks, with respondents themselves claiming to be more at risk than they were a year ago.
Six Degrees’ research maps respondent cyber security confidence against the National Cyber Security Centre’s (NCSC’s) 10 Steps to Cyber Security, a framework covering key areas including risk management, identity and access management, and data security. Retailer confidence remains high in each category, peaking at 84% for risk management. Yet, even in the weakest area – supply chain management (76%) – confidence remains strong. This is surprising considering supply chain attacks top the list of incidents reported by respondents in the last year.
Despite reporting high confidence in their cyber security posture, respondents are clearly experiencing the real-world impact of cyber-attacks. Logistical disruptions, including the inability to restock goods, are the most common consequence. Meanwhile, one third of retailers report a decline in customer satisfaction – often centred on dispatching, delivering, and arranging the return of goods. Around a quarter also cite issues related to insurance, reputation, and legal risk exposure.
“Retailers feel the impact of cyber-attacks acutely because recovery is often slow. Only 13% of retailers fully restore operations within the first week, and just 29% within three weeks. More than a third take between one and six months to return to normal,” said Vince DeLuca, CEO of Six Degrees. “You would expect slow recovery times to shake confidence and prompt a rethink of cyber security strategies – but our data shows that isn’t happening. This disconnect highlights a deeper issue: when cyber security reporting doesn’t reflect reality, businesses remain exposed.”
Elsewhere in the report, findings shine a light on further issues created by this misalignment: when asked where they would prioritise additional investment, IT leaders continue to rank cyber security highest (32%), ahead of cloud infrastructure (26%), connectivity (23%) and AI and automation (20%). This clearly demonstrates that cyber security confidence and capability aren’t aligned.
If confidence were as strong as reported, the focus would likely shift towards other investment areas. Instead, the data shows that cyber security remains the most urgent priority, increasing in importance among respondents who have suffered from a cyber-attack in the last 12 months. This indicates that even confident retailers, when questioned further, recognise underlying cyber weaknesses – and this creates problems for IT leaders within retailorganisations. Data within the report shows that respondents who claim high levels of confidence find it harder to secure priority cyber funding, with almost a third citing competing business priorities as the top barrier.
Vince DeLuca concluded: “The message to retailers is clear: cyber security confidence does not equal resilience. Confidence statements are easy to make, but do they withstand scrutiny against real-world threats? True resilience requires time, commitment, cultural alignment, and leadership from the top. And it’s never static – resilience can erode quickly without regular checks, assessments, and benchmarking built into defence strategies. Threat actors have consistently targeted the UK retail sector throughout 2025. Retailers who act now to close the cyber confidence gap will take a decisive step toward preventing their organisation from becoming the next headline in 2026.”
To download a full copy of the Six Degrees Retail Whitepaper, click here.
