From Sales to Cybertheft: The Real Cost of Connected Retail
and How to Protect It

Modern commerce is a digital giant. Networked cash registers, e-commerce, ERP systems, in-store IoT, logistics partners, cloud-based CRMs… every component of the retail ecosystem powers an efficient machine – but one that’s highly vulnerable. For cybercriminals, it’s a goldmine.

Why target retail companies? Because they combine three attractive levers:

• A massive amount of sensitive data (emails, credit cards, shopping habits);
• Valuable assets that can be resold, like gift cards or loyalty points;
• A distributed IT system – often fragmented and rarely fully mapped.

Above all, there’s constant pressure: when everything is run in real time, even an hour of downtime can cost millions. Take M&S, for example, hit by a cyberattack over Easter 2024. “Our current estimate, before mitigation, foresees an impact on the Group’s operating profit of around £300 million for 2025/26,” said the retailer. The consequences? Online orders were suspended, internal communications became complicated, and some customer personal data was stolen during the attack (including names, home addresses, phone numbers, email addresses, dates of birth, and online order histories)… not to mention the damage to the brand’s image.

At first glance, stealing gift cards or loyalty points might seem trivial. In reality, they’re the modern equivalent of cash: easy to liquidate, hard to trace, and often overlooked in security policies.

These assets allow attackers to:

• Make quick money (reselling them on underground forums, often at a 50% discount);
• Test system responsiveness before launching more complex attacks (ransomware, data exfiltration);
• Inject funds into money laundering schemes, by using them to purchase and resell physical goods.

Forget loud ransomware for a moment. Today’s most dangerous attacks are:

• Stealthy: malware slipped in through an unprotected self-service kiosk;
• Targeted: a point-of-sale terminal exploiting a vulnerable protocol;
• Timed: triggered during peak periods to maximize impact (Black Friday, sales, Christmas).

It’s this stealth that makes them so dangerous. They don’t always shut the system down — they slow it down, disrupt it, contaminate the IT environment. A DDoS attack on a warehouse can lead to stockouts. A vulnerability in the e-commerce interface can hijack payment flows.
And sometimes, teams realize it too late.

Many retailers rely on a well-known combo: firewall + EDR + SIEM. But in practice:

• Firewalls can’t see what’s happening inside the network;
• EDRs don’t cover devices without traditional operating systems (POS systems, printers, IoT), nor most OT environments;
• SIEMs, though powerful, are often too verbose — they drown out weak signals and require constant expert oversight.

The result? Huge blind spots, a fragmented view, and mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) that are often far too long.

Network Detection & Response (NDR) addresses this complexity. Its core principle: monitor everything flowing through the network in real time — with no agent required. Here’s what it changes:

• Instant mapping: endpoints, traffic, users, inter-site connections, cloud, IoT…
• Behavioral detection: not based on fixed signatures, but on deviations from the norm;
• Visibility into encrypted traffic: even SSL data can’t hide malicious intent;
• Business-centric alerts: alerts are prioritized based on operational impact;
• Targeted response: isolate a compromised device without shutting down the entire store.

→ In short: NDR sees, understands, and acts — without disrupting business.

Modern retail can no longer separate IT from operations. A cyberattack isn’t just a technical incident:

• It stops sales.
• It forces teams to improvise.
• It damages customer relationships.
• It wipes out weeks of effort from marketing and other departments.

And the vulnerabilities aren’t just software-based. A December 2024 article in the Financial Times reported that 84% of organizations tolerate BYOD (Bring Your Own Device), even though only 52% officially allow it — and 78% have personal devices on their networks without realizing it (Article).
Every unpatched device, poorly segmented Wi-Fi, or reused password becomes a potential entry point.

The challenge is as much cultural as it is technological.
NDR is a tool — but also a catalyst for maturity: it brings hidden risks to light, aligns security with business priorities, and pushes teams to document, structure, and plan ahead.

The true goal of NDR isn’t to filter or block everything — it’s to keep operations running even during a crisis. In a world where shutting everything down at the slightest suspicion is no longer an option, precision is key.

Example: an NDR detects suspicious data exfiltration from a point-of-sale terminal.

• It isolates the compromised device,
• Alerts the SOC,
• And keeps all other terminals up and running.

→ Result: the store stays open, and the threat is contained.

When everything’s working, no one talks about cybersecurity. But the moment systems freeze, it becomes the central issue. And in an era where customer trust is the only true loyalty that can’t be bought, cybersecurity must become a strategic pillar.

Investing in NDR means:

• Mapping the invisible,
• Detecting the abnormal,
• Prioritizing what matters most,
• Responding fast,
• And most of all — never being caught off guard.

Retail can no longer afford to neglect its security.
Retailers know everything about their customers — it’s time they know just as much about their own networks.