Recent findings from Six Degrees, a provider of secure and integrated cloud services, reveal a critical gap between perceived and actual cyber resilience among retailers. While many UK retailers express confidence in their security measures, one-fifth acknowledge that their defenses might not withstand a cyber-attack. This gap is concerning given the escalating frequency of attacks on this sector, with retailers noting they feel more vulnerable than in previous years.
Assessment Against Security Standards
The research conducted by Six Degrees correlates retailer cyber confidence with the National Cyber Security Centre's (NCSC's) 10 Steps to Cyber Security, which addresses crucial areas such as risk management, identity and access management, and data security. Despite high confidence levels, reaching 84% in risk management and remaining strong even in weaker areas such as supply chain management (76%), the prevalence of supply chain attacks suggests a discord between confidence and reality.
Consequences of Cyber-Attacks
Despite their confidence, retailers are experiencing tangible consequences from cyber-attacks, notably logistical disruptions like difficulties in restocking goods. Furthermore, a third of retailers have observed a decline in customer satisfaction, particularly relating to the dispatch and return processes. Additional challenges include complications with insurance, reputational damage, and increased legal risks.
Security Strategy and Recovery Time
“Retailers feel the impact of cyber-attacks acutely because recovery is often slow. Only 13% of retailers fully restore operations within the first week, and just 29% within three weeks. More than a third take between one and six months to return to normal,” explains Vince DeLuca, CEO of Six Degrees. Despite these extended recovery periods, the anticipated reassessment of cyber security strategies hasn't materialized, exposing a deeper issue where security assurances do not match operational realities.
Investment Priorities Highlight Misalignment
The report reveals further discrepancies; IT pioneers continue to prioritize investment in cyber security (32%) over other areas such as cloud infrastructure (26%), connectivity (23%), and AI and automation (20%). This ongoing focus on cyber security suggests that confidence in this area may not be as robust as stated.
Challenges in Securing Cyber Funding
While confidence is reportedly high, there remains a struggle to secure necessary cyber funding, often due to competing business priorities, as nearly one-third of respondents indicated. This points to a recognition of underlying cyber vulnerabilities.
Navigating the Cyber Confidence Gap
Vince DeLuca emphasizes, “The message to retailers is clear: cyber security confidence does not equal resilience. Confidence statements are easy to make, but do they withstand scrutiny against real-world threats? True resilience requires time, commitment, cultural alignment, and leadership from the top.” He warns of the impermanence of cyber resilience, urging retailers to frequently evaluate and strengthen their strategies against the persistent threats that have been targeting the UK retail sector. Retailers who proactively address this gap will be better equipped to avoid becoming future targets.
New independent research from Six Degrees, the secure, integrated cloud services provider, reveals a dangerous disconnect between retailer cyber confidence and real-world cyber resilience.
Data from the Six Degrees Retail Whitepaper shows that while most UK retailers are highly confident about their security posture, one in five admit their current defenses wouldn’t prevent a cyber-attack. This disconnect has far-reaching impacts because the retail sector faces an increasing volume of attacks, with respondents themselves claiming to be more at risk than they were a year ago.
Six Degrees’ research maps respondent cyber security confidence against the National Cyber Security Centre’s (NCSC’s) 10 Steps to Cyber Security, a framework covering key areas including risk management, identity and access management, and data security.
Real-world impact of cyber-attacks
Retailer confidence remains high in each category, peaking at 84% for risk management. Yet, even in the weakest area – supply chain management (76%) – confidence remains strong. This is surprising considering supply chain attacks top the list of incidents reported by respondents in the last year.
Despite reporting high confidence in their cyber security posture, respondents are clearly experiencing the real-world impact of cyber-attacks. Logistical disruptions, including the inability to restock goods, are the most common consequence.
Meanwhile, one third of retailers report a decline in customer satisfaction – often centred on dispatching, delivering, and arranging the return of goods. Around a quarter also cite issues related to insurance, reputation, and legal risk exposure.
Cyber security confidence and capability
“Retailers feel the impact of cyber-attacks acutely because recovery is often slow. Only 13% of retailers fully restore operations within the first week, and just 29% within three weeks. More than a third take between one and six months to return to normal,” says Vince DeLuca, CEO of Six Degrees.
“You would expect slow recovery times to shake confidence and prompt a rethink of cyber security strategies – but our data shows that isn’t happening. This disconnect highlights a deeper issue: when cyber security reporting doesn’t reflect reality, businesses remain exposed.”
Elsewhere in the report, findings shine a light on further issues created by this misalignment: when asked where they would prioritize additional investment, IT pioneers continue to rank cyber security highest (32%), ahead of cloud infrastructure (26%), connectivity (23%) and AI and automation (20%). This clearly demonstrates that cyber security confidence and capability aren’t aligned.
Underlying cyber weaknesses
If confidence were as strong as reported, the focus would likely shift towards other investment areas. Instead, the data shows that cyber security remains the most urgent priority, increasing in importance among respondents who have suffered from a cyber-attack in the last 12 months.
This indicates that even confident retailers, when questioned further, recognize underlying cyber weaknesses – and this creates problems for IT leaders within retail organizations. Data within the report shows that respondents who claim high levels of confidence find it harder to secure priority cyber funding, with almost a third citing competing business priorities as the top barrier.
Cyber confidence gap
Vince DeLuca concludes: “The message to retailers is clear: cyber security confidence does not equal resilience. Confidence statements are easy to make, but do they withstand scrutiny against real-world threats? True resilience requires time, commitment, cultural alignment, and leadership from the top.”
“And it’s never static – resilience can erode quickly without regular checks, assessments, and benchmarking built into defense strategies. Threat actors have consistently targeted the UK retail sector throughout 2025. Retailers who act now to close the cyber confidence gap will take a decisive step toward preventing their organization from becoming the next headline in 2026.”
