Industry insights


Online everything was the theme for 2020, and retailers are continuing to see a demand for digital customer experiences. Already an industry fraught with cyber risk and under the watch of regulators, retailers now must identify and close the gaps resulting from rapid technology innovations and continue to painstakingly protect sensitive customer data.

How does the retail industry stack up?

2.4 (basic)

The average CyQu rating for retail organizations globally is 2.4/4 (basic).

What this means

This rating indicates that cyber security maturity is at a basic level. Organizational cyber security risk management practices and technologies are not formalized. Risk is managed in an ad hoc and sometimes reactive manner. Risk management practices and technologies are not established.

Explore the most pertinent cyber risks to retail organizations, map them to key cyber security controls, and determine actions your organization can take to close cyber security gaps.

Click below (+) to learn more

*Aon's Cyber Quotient Evaluation (CyQu) is a comprehensive cyber risk assessment that evaluates cyber risk across 9 security domains and 35 critical control areas

Underpinned by proprietary data and expert insights, explore four key risk themes that are prominent to retail organizations today.

Read below to learn more

Navigate new exposures:

Rapid digital evolution

There is a significant disparity in cyber risk maturity across organizations in this industry. 36% of retailers indicate they are extremely vulnerable to network overload and Denial of Service (DoS) attacks. On the other end of the spectrum, 20% of retailers report advanced maturity, which suggests they have the ability to securely scale-up as consumer demand for digital channels continues to rise.

Know your partners:

Third-party risk

More than half (58%) of retail organizations have inadequate third-party security measures, revealing the need for retailers to improve their ability to select and onboard third-parties. While retailers excel in securing physical access to premises, stores, and offices, the testing of such security measures is weak. Physical penetration testing is not being implemented in a uniform way by 71% of organizations. It is imperative that these physical measures are tested on a regular basis to maintain robust physical security controls.

Concentrate on controls:


Given the increased number of ransomware-related attacks in recent months, it has become even more important to have effective business resilience measures in place. This is especially relevant in the retail industry, which has been increasingly moving sales and distribution processes online. Unfortunately, only 24% of retail organizations have adopted adequate business continuity and disaster recovery measures for the increasing threat of ransomware attacks. As the success of retail organizations becomes more critically dependent on having readily available e-commerce and distribution systems, these organizations will need to address the poor state of their business resilience.

Perfect the basics:


With 40% of organizations presenting a risk maturity score of less than 2, there is clearly improvement needed to ensure retailers are well-versed in managing and securing data. However, the fact that 30% of organizations excel (risk maturity score above 3), suggests the industry is starting to approach a managed level of readiness.

Industry insights

Technology, media & telcommuications