New findings from Six Degrees highlight a concerning gap between the perceived and actual cyber security resilience in the UK retail sector.
Despite the majority of retailers expressing strong confidence in their cyber defences, one in five concede that their current systems would fail against a cyber-attack, according to the Six Degrees Retail Whitepaper.
This discrepancy is alarming given the sector’s escalating exposure to cyber threats, with many respondents acknowledging an increased risk compared to the previous year.
Research and framework analysis
Confidence levels among retailers are generally high, with risk management at an 84% confidence peak
The research from Six Degrees evaluates retailer confidence against the National Cyber Security Centre’s (NCSC’s) 10 Steps to Cyber Security, examining critical aspects like risk management, identity and access management, and data security.
Confidence levels among retailers are generally high, with risk management at an 84% confidence peak. Interestingly, supply chain management, despite being the weakest confidence area at 76%, remains notably robust.
This confidence is in stark contrast to the frequency of supply chain attacks reported over the past year.
Practical consequences of cyber-attacks
Despite assurances about their security postures, retailers are experiencing tangible repercussions from cyber-attacks.
The most reported issues include logistical disruptions, such as challenges in restocking goods, alongside a significant impact on customer satisfaction affecting processes related to dispatch and delivery. Additionally, around 25% of retailers face issues concerning insurance, reputation, and legal risks.
Discrepancy between confidence and capability
According to Vince DeLuca, CEO of Six Degrees, retailers struggle significantly with recovery times post-attack
According to Vince DeLuca, CEO of Six Degrees, retailers struggle significantly with recovery times post-attack, with only a small fraction restoring full operations within the first few weeks.
DeLuca states: “Retailers feel the impact of cyber-attacks acutely because recovery is often slow… This disconnect highlights a deeper issue: when cyber security reporting doesn’t reflect reality, businesses remain exposed.”
This sentiment is echoed in further findings where cyber security remains the top investment priority among IT decision-makers, underscoring the misalignment between perceived and actual capabilities.
Investment prioritisation
Despite high confidence levels, retailers continue to prioritise cyber security investments, even more so for those affected by recent attacks.
The survey indicates hidden weaknesses in cyber strategies, pioneering IT leaders to struggle with securing necessary cyber funding, with competing business priorities cited as a significant hurdle by nearly one-third of respondents.
Addressing the cyber confidence gap
DeLuca concludes, urging retailers to reassess their stance: “The message to retailers is clear: cyber security confidence does not equal resilience... True resilience requires time, commitment, cultural alignment, and leadership from the top.” He stresses the importance of continuous evaluation to bolster defences, especially in facing persistent threats within the sector.
As cyber threats continue their focus on the retail sector, proactive steps to close the confidence gap could be crucial in averting potential crises in 2026.
New independent research from Six Degrees, the secure, integrated cloud services provider, reveals a dangerous disconnect between retailer cyber confidence and real-world cyber resilience.
Data from the Six Degrees Retail Whitepaper shows that while most UK retailers are highly confident about their security posture, one in five admit their current defenses wouldn’t prevent a cyber-attack. This disconnect has far-reaching impacts because the retail sector faces an increasing volume of attacks, with respondents themselves claiming to be more at risk than they were a year ago.
Six Degrees’ research maps respondent cyber security confidence against the National Cyber Security Centre’s (NCSC’s) 10 Steps to Cyber Security, a framework covering key areas including risk management, identity and access management, and data security.
Real-world impact of cyber-attacks
Retailer confidence remains high in each category, peaking at 84% for risk management. Yet, even in the weakest area – supply chain management (76%) – confidence remains strong. This is surprising considering supply chain attacks top the list of incidents reported by respondents in the last year.
Despite reporting high confidence in their cyber security posture, respondents are clearly experiencing the real-world impact of cyber-attacks. Logistical disruptions, including the inability to restock goods, are the most common consequence.
Meanwhile, one third of retailers report a decline in customer satisfaction – often centred on dispatching, delivering, and arranging the return of goods. Around a quarter also cite issues related to insurance, reputation, and legal risk exposure.
Cyber security confidence and capability
“Retailers feel the impact of cyber-attacks acutely because recovery is often slow. Only 13% of retailers fully restore operations within the first week, and just 29% within three weeks. More than a third take between one and six months to return to normal,” says Vince DeLuca, CEO of Six Degrees.
“You would expect slow recovery times to shake confidence and prompt a rethink of cyber security strategies – but our data shows that isn’t happening. This disconnect highlights a deeper issue: when cyber security reporting doesn’t reflect reality, businesses remain exposed.”
Elsewhere in the report, findings shine a light on further issues created by this misalignment: when asked where they would prioritise additional investment, IT pioneers continue to rank cyber security highest (32%), ahead of cloud infrastructure (26%), connectivity (23%) and AI and automation (20%). This clearly demonstrates that cyber security confidence and capability aren’t aligned.
Underlying cyber weaknesses
If confidence were as strong as reported, the focus would likely shift towards other investment areas. Instead, the data shows that cyber security remains the most urgent priority, increasing in importance among respondents who have suffered from a cyber-attack in the last 12 months.
This indicates that even confident retailers, when questioned further, recognise underlying cyber weaknesses – and this creates problems for IT leaders within retail organisations. Data within the report shows that respondents who claim high levels of confidence find it harder to secure priority cyber funding, with almost a third citing competing business priorities as the top barrier.
Cyber confidence gap
Vince DeLuca concludes: “The message to retailers is clear: cyber security confidence does not equal resilience. Confidence statements are easy to make, but do they withstand scrutiny against real-world threats? True resilience requires time, commitment, cultural alignment, and leadership from the top.”
“And it’s never static – resilience can erode quickly without regular checks, assessments, and benchmarking built into defence strategies. Threat actors have consistently targeted the UK retail sector throughout 2025. Retailers who act now to close the cyber confidence gap will take a decisive step toward preventing their organisation from becoming the next headline in 2026.”
