The Reality of Modern Cyberattacks: Lessons from Recent Retail Breaches

• Modern cybersecurity threats, particularly ransomware attacks and data breaches, pose existential risks to retail businesses, transforming cyberattacks from rare events to inevitable challenges. 

• Recent breaches highlight the vast attack surface in retail, with numerous entry points — from employees to third-party service providers — which are often exploited through phishing emails or malware. 

• Sophisticated attackers use social engineering to bypass traditional defenses like firewalls and often remain undetected for weeks as they map networks.

• To counter these threats, retailers must adopt an "assume breach" mentality by prioritizing Zero Trust architectures, multi-factor authentication (MFA), and microsegmentation to limit lateral movement and protect critical data. 

• The financial stakes are high, with retailers facing staggering losses — up to approximately US$13.5 million weekly in some cases — underscoring the need for restructured cyber insurance. 

• To strengthen resilience against phishing attacks, scams, and unauthorized access, it’s essential to implement incident response plans, board-level governance, and awareness training, and to prioritize actions like mapping legacy systems, implementing MFA, and restructuring insurance.

In the digital age, cyberattacks have evolved from occasional nuisances to existential threats that can cripple even the most established businesses. Major retail ransomware attacks and data breaches can not only provide unprecedented understanding of modern cyber warfare’s reality, but also offer crucial lessons for business leaders who are navigating an increasingly dangerous digital landscape.

The sobering truth is that cyberattacks are no longer an "if" but a "when" scenario for retail businesses — and when they strike, the impact is staggering. Dealing with sophisticated hackers can upend every aspect of business operations overnight.

For large retail organizations, the attack surface is enormous. With tens of thousands of people working on systems — from store colleagues to contractors across multiple locations and countries — the potential entry points are virtually limitless. 

This reality forces a fundamental shift in how retailers must think about cybersecurity: The perimeter is permeable, and attackers only need to be lucky once. Even an unsuspecting employee who clicks on a link in a phishing email can give cybercriminals the initial foothold to install malware or ransomware.

Modern attacks begin with what the cybersecurity industry euphemistically calls social engineering: sophisticated impersonation techniques that go far beyond simple password phishing. Hackers don't simply call employees and ask for them to reveal sensitive information; they often appear as legitimate employees with detailed personal information, commonly involving third parties in the deception.

The success of these modern attacks reveals critical vulnerabilities in most access management and endpoint detection systems, because sophisticated cybercriminals are often able to remain undetected for days or even weeks after initial penetration while they quietly establish footholds and map internal systems. 

This extended dwell time highlights a harsh reality: Once attackers gain a foothold and move laterally, organizations can often face a lengthy process of system rebuilding, regardless of their incident response speed.

One of the most significant challenges addressed in the report was the added complexity of legacy systems. Most retailers that have been operating for decades inevitably have myriad back- and front-office systems that combine on-premises infrastructure, cloud services, and various operating systems. This complexity makes it exponentially more difficult to compartmentalize systems effectively, enabling easier lateral movement for attackers once they have secured that initial beachhead.

The reality is that while retailers may strive for perfectly organized and compartmentalized systems, achieving completely watertight security boundaries remains exceptionally difficult. In most cases, the interconnectivity required for modern business operations — in which hundreds of systems must communicate across a huge number of locations — creates vulnerabilities that traditional security measures like firewalls can’t easily eliminate.

Given these vulnerabilities, the most important consideration is how quickly you can detect, contain, and recover from a data breach to minimize data loss and downtime.

The most crucial shift is the transition from a prevention-focused mindset to an "assume data breach" mentality. With possibly tens of thousands of potential entry points, an organization’s focus must shift from keeping attackers out to limiting damage once they inevitably get in.

This approach requires rethinking fundamental security strategies. Rather than investing solely in perimeter defenses, for example, retailers must build systems that can fail gracefully and recover rapidly. Most important, critical systems and sensitive data need to be isolated using a Zero Trust, least-privilege mindset and architecture.

Perhaps the most striking advice from security experts is deceptively simple: "Make sure that you can run your business on pen and paper." This isn't hyperbole — it's a practical necessity. When systems are compromised, organizations may need to operate manually — not for days or weeks, but for months.

The financial losses due to a business disruption can be astonishing. In a recent attack, one retailer lost approximately US$13.5 million in profit for each week their online operations were disabled. This wasn't just lost revenue: It represented the complete disruption of the digital business models that have become fundamental to modern retail operations.

Recovery from a sophisticated cyberattack is a complex, multistage process that can take weeks or even months to complete. Even when customer-facing systems are restored, for instance, back-office systems may still be offline, leaving the retailer’s supply chain nonoperational.

One of the best ways to build a defense that keeps up is to implement what experts call "rings of steel"; that is, highly protected environments with no remote access, where all system rebuilding requires a physical presence in secured data centers. This approach takes longer but provides the security necessary to prevent reinfection during the vulnerable recovery period and supports decryption efforts if needed.

The financial impact of cybersecurity breaches reveals another critical insight: Most retailers structure their cyber insurance incorrectly. While traditional strategies have focused on insuring against minor incidents, the expanded attack surface and increasing costs associated with recovery have flipped the script. In today’s cyber defense landscape, organizations should instead consider self-insuring for smaller losses and focus insurance coverage on catastrophic events.

This restructuring recognizes that cyberattacks can result in damages reaching hundreds of millions of dollars. Even so, the insurance claim process itself can take 18 months, meaning that organizations must be prepared to weather significant financial impact while recovery proceeds.

To support these financial and operational strategies, governance and board involvement must expand beyond risk committees and incident response teams to also include regular scenario planning and simulation exercises. Aligning these exercises with National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) guidelines ensures a structured approach to preparedness, although real attacks can often be far more intense and complex than any simulation can capture.

This reality doesn't diminish the value of preparation but emphasizes the need for boards to understand the true nature of cyberthreats. Investing in cyber resilience rarely delivers an immediate return, making it a tough sell — until a cyberattack hits and proves its value. That’s why having a robust incident response plan is essential.

The broader implications for cybersecurity threats are profound. For example, a coordinated ransomware attack targeting multiple major retailers, amplified by social media campaigns spreading fears of food shortages, could trigger widespread public panic and economic disruption.

This scenario highlights two critical gaps in current incident response frameworks: 

1. Government support for retail businesses during major cyber incidents is often insufficient. The process of engaging appropriate law enforcement can take weeks, delaying recovery as cases escalate from local police to specialized cybercrime units. 

2. Many serious cyberattacks go unreported globally, creating dangerous intelligence gaps that weaken both national and international cybersecurity efforts.

Addressing these challenges requires a robust public-private collaboration, streamlined government response processes, and mandatory reporting requirements for material attacks above certain thresholds. Sharing real-time intelligence across borders is also crucial for building collective defenses against sophisticated threat actors who operate internationally.

The lessons from major retail breaches point to several critical actions for business leaders. It begins with implementing multi-factor authentication (MFA) across all endpoints, encouraging strong passwords, and providing employee awareness training to combat phishing emails and scams. For small businesses, adopting VPNs, secure WiFi, and security software can help prevent unauthorized access.

Take other immediate actions:

• Implement the "pen and paper test" to ensure your business can operate manually
• Restructure cyber insurance to focus on catastrophic rather than trivial events
• Develop rapid response protocols that assume breach rather than prevent it
• Map legacy systems and understand interconnection vulnerabilities

Make governance changes:

• Elevate cyber security considerations to board-level strategic discussions
• Conduct realistic scenario planning beyond technical simulations
• Prepare for multimonth recovery timelines and associated costs
• Establish clear communication protocols for crisis management

Make strategic investments:

• Prioritize microsegmentation and access controls
• Build protected recovery environments with "rings of steel" security
• Invest in rapid detection and containment capabilities using the most up-to-date antivirus and anti-malware tools
• Develop manual backup processes for critical operations

Building on these strategic investments, microsegmentation stands out as a critical tool for retailers to secure their networks. And while perfect compartmentalization may be impossible, recent attack analysis has highlighted the value of this tactic, especially in conjunction with controlled access. The ability to limit lateral movement and implement granular access controls with permissions becomes crucial when attackers inevitably breach perimeter defenses like firewalls.

The challenge lies in balancing security with functionality. Modern businesses require systems to communicate across complex networks, but this communication must be carefully controlled and monitored. A microsegmentation solution that enables legitimate intersystem communication but stops malicious communication becomes a critical security tool that can limit the damage caused by a successful ransomware attack or data breach. 

Akamai Guardicore Segmentation offers software-based microsegmentation that provides real-time visibility into network traffic, enabling security teams to detect and block unauthorized access quickly. By isolating critical data and endpoints, it prevents malware and hackers from spreading laterally across both cloud and on-premises systems, aligning with Zero Trust principles and NIST guidelines.

To build robust defenses against cybersecurity threats, retailers must recognize that risks extend far beyond their own systems. Even the most robust internal defenses can be rendered ineffective when suppliers and partners become the weak link in your interconnected business ecosystem, especially when using third-party platforms for cloud services and automation.

Most important, cybersecurity is increasingly a shared responsibility. The threats we face are global in nature, operated by sophisticated hackers who may be located anywhere in the world. Building effective defenses requires unprecedented collaboration between businesses, government agencies, and international partners.

Security experts conclude that establishing superior cyber defenses could become a significant competitive advantage for nations and regions in the global economy. But achieving this vision requires immediate action, sustained investment, and a collective commitment to building a more resilient digital economy.

These external considerations reinforce the need for internal resilience strategies to protect critical data and minimize downtime across the entire retail ecosystem.

The lessons from major breaches are clear: The time for action is now, and the stakes couldn't be higher. 

The reality of modern cyberattacks demands a fundamental shift in how we approach digital security. The traditional fortress mentality of keeping attackers out has proven insufficient against sophisticated threat actors who only need to be lucky once.

Instead, organizations must embrace an “assume breach” mentality, building resilience through rapid detection, effective containment, and robust recovery processes. The financial and operational impacts are too significant to address through reactive measures alone.

Retailers should prioritize regular backups and real-time monitoring by security teams to mitigate malware and reduce downtime. By integrating solutions like Zero Trust architectures, MFA, and microsegmentation, as well as fostering collaboration across supply chains, retailers can better withstand phishing attacks, data loss, and unauthorized access.

Take control of your defenses against ransomware attacks and data breaches. Contact us today to explore how Akamai Guardicore Segmentation can protect your critical data with microsegmentation and Zero Trust principles.