Why the retail industry needs to rethink identity [Q&A]

The retail industry continues to be a top target for cyber criminals, retailers rely heavily on digital infrastructure to manage consumer data and operations so they remain an attractive target for attackers seeking financial or operational disruption.

The cyberattacks earlier this year hitting UK retail (Marks & Spencer, Co-op, Harrods) are the latest reminder that identity is still one of the weakest links.

We talked to Rob Ainscough, chief identity security advisor at Silverfort and former head of identity and access management (IAM) at supermarket group Tesco, to discuss what the industry needs to do to address this problem.

BN: In recent months, we’ve seen a rise in cyberattacks targeting the retail industry. What’s driving this surge, and why are retailers such attractive targets for attackers?

RA: Retailers are increasingly digital-first. The rise of e-commerce makes the sector a more attractive target for financially motivated cybercriminals, as there is a vast amount of sensitive data. Additionally, as retailers enable their front-line workforces with digital identities for increased productivity and customer service, their attack surface increases.

The attacks we saw this spring in the UK (i.e., Marks & Spencers, Co-op, Harrods) and the US targeted gaps in identity; the attackers used age-old social engineering techniques to steal credentials and weave their way into their networks. With organizations working across on-premise, cloud, and SaaS systems, exploitable identity gaps can exist anywhere.

When attacks don’t begin with identity, they end with it. The real challenge -- and opportunity -- is finding a scalable way to broadly protect identities, prevent account compromise, and stop attackers before they can exploit weaknesses. This is the number one challenge for identity teams everywhere.

BN: You believe that identity is often misunderstood in retail security. What are some of the mistakes retailers are making, especially when it comes to IAM?

RA: The retail industry has some unique challenges that make identity protection especially difficult. Retail manages a mix of online and physical storefronts -- often across hundreds or thousands of locations -- alongside third-party vendors, suppliers, and a large frontline workforce. All of these digital identities need secure, seamless access to systems. But most IAM technologies weren’t originally designed with security in mind. These tools were built to manage identity, not to secure it against the new methods of attackers focused on identity.

The biggest mistake I see is that most retailers still view identity through an operational lens, as the goal is to ensure reliable, seamless, and always-on access for workers to do their job. Treating identity this way can leave major gaps for identity-first attackers to exploit.

Today’s threat environment demands a new focus on containing the risk of compromised accounts, everywhere they’re used. Every account is a risk, and even the most innocuous-looking accounts, when compromised, can start a chain of events leading to major security incidents. Protecting the most privileged accounts only, or having unequal protection in different places (e.g., for business applications vs infrastructure running the business) is no longer tenable.

BN: Why isn’t IAM enough on its own to secure retail environments, and what needs to be built around it to provide better protection?

RA: IAM is a critical foundation, but on its own, it’s not enough to protect against today’s identity-first attackers, where every account and authentication presents a risk. In retail, where system availability directly impacts revenue and customer trust, securing and managing access to every digital identity is essential to preventing account compromise, lateral movement, and ransomware.

Organizations typically rely on two methods of defending: detecting unusual activity and responding to it, or deploying tools to block malicious behavior. But detecting subtle misuse at scale -- especially in environments with thousands of users, systems, and technologies -- is extremely difficult. And traditional prevention tools can be bypassed by attackers who operate quietly, often using legitimate credentials. Even when detected, responding in a timely manner that prevents a compromise from becoming a security incident is equally challenging. That’s why identity needs to be verified strongly, everywhere -- not just at the perimeter, but within the environment itself. Systems like servers and databases that run the business require strong, continuous authentication.

Building robust protection against account compromise -- for example, protecting accounts with MFA -- across the hybrid estate is a must to contain systemic risk and stop a single account compromise from becoming a major security incident. Most tools were not built to secure identities or be applied scalably and consistently for different roles, such as offices, stores, and warehouses.

BN: The retail industry still relies heavily on legacy systems. How can they balance operational continuity with modern identity security?

RA: Many retail organizations still run on outdated hardware and software. These systems weren’t built with today’s threat landscape in mind, and updating them isn’t always practical when availability, uptime, and cost are constant concerns for retailers.

But modern systems can be insecure too. Whether systems are old or new, if identity protections are weak, attackers will find a way, so identity security must be at the heart of every organization. Too often, identity is still managed in silos as a function of compliance and operations, particularly in people-dense industries like retail, logistics, or public sector services. What attackers understand -- and defenders under-resource -- is that it's also one of the easiest vectors to exploit.

Even in legacy environments, retailers can immediately reduce risk by restricting outdated authentication protocols like NTLMv1 to only essential applications or creating security boundaries between different parts of the retail environment to contain incidents, such as disallowing server authentication from retail sites.

BN: What steps can retailers take today to start putting identity at the center of their security strategy rather than treating it as another IT responsibility?

RA: Identity security must become a central part of retailers’ overall security strategy. That means taking immediate, tangible steps in three key areas: strengthening access controls, limiting the impact of compromise, and actively monitoring for identity threats.

• First, protect initial access points. Ensure all external access points, such as VPNs, SaaS platforms, and other internet-facing systems, are secured with phishing-resistant MFA. Harden helpdesk procedures with strict identity verification protocols and consider temporarily implementing in-person resets for your most critical accounts. Protect MFA management by ensuring that second factors can only be added or changed with appropriate identity verification, not just usernames and passwords.
• Second, prevent lateral movement. MFA must extend beyond the perimeter to internal systems and infrastructure access, especially Active Directory environments, which are prime targets for threat actors and ransomware groups. Protecting RDP alone is not enough -- this must be on all protocols (PowerShell, for example, is favoured by attackers). Implement strict controls on non-human identities, limiting where they can be used and alerting on any unusual activity patterns that could indicate compromise.
• Third, monitor identity threats continuously. Implement Identity Threat Detection and Response (ITDR) to identify anomalous behaviors like lateral movement attempts and equip your SOC to respond. Create detailed baselines of normal service account behavior and alert on deviations -- track admin account activity with particular attention to cross-tier usage where high-privilege accounts access lower-security environments.

By taking these steps, retailers can better protect identities, prevent account compromise, and stop attackers before they can exploit weaknesses and wreak havoc.

Image credit: vchalup2/depositphotos.com