KnowBe4, the human risk management platform, has released a new report entitled IT and Cybersecurity Trends in UK Retail: 2025 Survey Insights. The findings revealed nearly all (99.6%) of the 250 UK retail IT security professionals surveyed are facing a significant increase in cyber threats. Notably, 58% cited an increase in helpdesk/IT support scams that exploit frontline workers.
To combat this, retailers in the UK are responding with greater investment, board-level engagement and a growing focus on Human Risk Management (HRM). The research paints a picture of an industry rapidly evolving its defences in the wake of major breaches at Marks & Spencer, Co-op and Harrods earlier this year.
Key Findings at a Glance
- Threats intensify: Nearly all respondents reported increases in phishing, fraud, supply chain exploitation and social engineering attacks.
- Supply chain weak spots: 46% identified third-party suppliers as their biggest security gap.
- Budgets and leadership rise to the challenge: 72% reported increased executive attention; 58% increased security budgets.
- Human-centric controls dominate spend: 74% invested in security awareness training, the top investment area.
- HRM over compliance: Retailers prioritise cultural change, not just education, to drive secure behaviours.
- Preparedness is there, but lacks follow-through: 91% conducted audits; 96% have an incident response plan, though only 65% have tested them.
- Ransomware reality: 71% have a dedicated budget for potential ransom payments.
Helpdesk scams (58%), phishing (47%) and credential theft (54%) were cited as the most frequent and growing threats to the UK retail sector. In addition, nearly half of respondents experienced increased attacks via third-party suppliers, an issue brought into sharp focus by the recent Mark & Spencer breach, traced back to a phished third-party vendor.
“These threat vectors highlight the human dimension of modern retail cyber risk. Phishing, credential theft and helpdesk scams all exploit human decision-making,” said Javvad Malik, lead cybersecurity advocate at KnowBe4. “The report is a reminder that cybersecurity is not just a technical challenge and organisations need to embed human-centric defences throughout operations. While we are seeing progress here, ultimately it is not enough to just have a plan on paper. In addition to an investment in awareness training, behavioural change initiatives and creating strong and positive cultures that support secure decision-making, retailers need to ensure response plans and processes are well tested and communicated to employees. It is about changing behaviour and building cultures where secure choices are second nature.”
The full report can be viewed here.
This comes after recent research from KnowBe4 revealed that the financial sector is also facing an unprecedented surge in cyber threats.
