Retailers are strengthening cyber policies after high-profile attacks
Despite a number of high-profile cyberattacks this year, the retail and e-commerce sector is leading the way in terms of alignment between policy and practice, according to new research.
The Cyber Culture Clash study, by compliance training provider Skillcast, analysed the gap between written cybersecurity policies and real-world practice across multiple sectors, to uncover how some industries may be hiding behind paperwork rather than practising what they preach.
Retail businesses emerged among the strongest performers, with privacy policies being updated almost twice a year on average – demonstrating a proactive approach to governance. This contrasts sharply with sectors like manufacturing, where policies are refreshed every three years on average.
Each industry in the study was assessed with two scores out of 260, one for policy and one for practice.
Policy covered essentials such as cybersecurity frameworks, regulatory references, and Cyber Essentials Plus accreditation, while practice assessed operational factors including staff headcount, attack rates, and phishing resilience.
Retail is one of the few to achieve near-perfect alignment, scoring 119 for policy and 117 for practice – showing that while there’s still a lot to improve upon, what’s written on paper is being meaningfully implemented.
70% of retail organisations analysed also explicitly cited ISO 27001 on their policies, the global standard for information security management. This is particularly significant for a sector that has been frequently targeted through third-party vulnerabilities, such as compromised supply chains or payment systems.
At the leadership level, every retail and e-commerce business analysed (100%) had a designated Head of Cyber or CISO, signalling that accountability is clearly defined, while some companies in other sectors had 70% or less.
And while high-profile breaches occasionally dominate headlines, only 32% of retail companies have reported a cyber attack in the past 12 months, according to gov.uk data, far lower than the worst-faring – the technology sector – at 69%.
Vivek Dodd, CEO at Skillcast said: “Our ‘Cyber Culture Clash’ research was designed to understand how effectively organisations are turning policy into practice through compliance and training. When done properly, training brings policy to life, translating rules into real behaviour, and retail is proving it can bridge the gap between preparation and execution.
“While there’s still work to be done for retailers to rebuild trust after a series of high-profile attacks, the sector is showing real progress: matching its policies with consistent training and real-world action, and evolving in step with increasingly sophisticated threats.
“But ahead of peak periods like Black Friday and Christmas, there’s an even stronger need to ensure every team member, from permanent to seasonal staff, is aligned with cybersecurity policies and practices so retailers can safeguard both customer trust and operational resilience when the stakes are highest.”
Readers can find the full Cyber Culture Clash report here: https://www.skillcast.com/cyber-culture-clash-index-report