Is your Retail Cybersecurity Ready for the Season's Surge?

The festive trading window brings Black Friday promotions and Christmas shopping rushes, yet retail and supply chain operators face mounting pressures that extend far beyond seasonal demand.

In a year marked by high-profile cyber attacks against major retailers and manufacturers, companies including M&S, JLR and Balenciaga continue recovery efforts while navigating one of the most operationally demanding periods in the commercial calendar.

This convergence creates operational risk. Seasonal workforce expansion, escalating ecommerce volumes and an increasingly active threat landscape intersect during the final quarter, elevating identity management to a mission-critical security control.

Cyber risk during peak trading

The final quarter has traditionally represented the period when retailers generate a disproportionate share of annual turnover. Today, however, the cyber risk profile during these months carries equal strategic weight.

Recent attacks on global retail brands have demonstrated how ransomware incidents and data breaches can rapidly paralyse warehouse operations and disrupt logistics networks. Black Friday promotions and pre-Christmas campaigns drive unprecedented traffic through digital channels and payment infrastructure.

Any compromise or outage during this window becomes immediately visible to customers, amplifying both reputational damage and financial consequences.

According to Rex Booth, CISO at SailPoint, businesses could be "betting on the Golden Quarter and Black Friday to rebuild customer confidence and boost sales following the slew of cyberattacks this year".

Booth warns that heightened traffic and transaction volumes during this period attract malicious actors who exploit the operational pressure.

Temporary workforce identity challenges

During peak season, retail and supply chain operators onboard thousands of temporary workers across stores, contact centres and fulfilment facilities, often completing the process within days or hours.

To maintain throughput, many seasonal staff receive rapid access to point-of-sale systems, order management platforms and internal support tools, sometimes with limited vetting and minimal security training.

Rex explains: "Organisations will be onboarding huge volumes of seasonal staff at speed, many of whom will be given instantaneous access to critical systems without proper training and with minimal vetting. Businesses need visibility of who can access what and when – or else an influx of staff coming and going could become a gateway for attackers."

This environment enables identity sprawl. Shared logins for tills, generic accounts designated for temporary workers and manual spreadsheets tracking access permissions create visibility gaps that threat actors can exploit.

When the seasonal rush concludes, these accounts are not always promptly revoked, leaving dormant credentials accessible to attackers well into the following year.

Systemic impact of compromised credentials

Modern retail operations rely on deeply integrated systems, with inventory, payments, logistics and customer data connected through APIs and cloud platforms. A single compromised identity with poorly governed access can serve as a pivot point, enabling attackers to move laterally across business-critical infrastructure.

The consequences extend beyond data loss. Locking staff out of core systems during incident remediation can halt order processing, delay deliveries and force stores onto manual procedures during critical trading periods.

Simultaneously, disclosure obligations and negative media coverage surrounding a breach can undermine months of effort spent rebuilding consumer trust following earlier incidents, as demonstrated by attacks on Harrods, JLR, M&S, Co-op and Balenciaga.

Rex adds: "Identity security tools automatically deactivate dormant accounts of departing employees and ensure current staff only have access to what's needed for their roles – no more, no less. This makes it harder for attackers to fly under the radar undetected. In today's threat landscape, it only takes one compromised identity and retailers could be facing weeks—or even months—of operational chaos and disruption."

Detecting anomalous identity behaviour

Even with robust lifecycle controls, retail and supply chain operators must assume some identities will be compromised through phishing, credential stuffing or targeted social engineering during busy trading windows.

Monitoring identity usage for anomalous patterns—such as logins from unexpected locations, unusual times or access to systems outside a worker's normal scope—becomes a crucial secondary defence layer.

Platforms such as SailPoint focus on behavioural analytics and policy-based alerts to flag risky activity without overwhelming security teams with false positives.

In a Black Friday context where operational noise levels peak, this intelligence capability could mean the difference between detecting an intrusion early and discovering it after days of suspicious refunds, fraudulent orders or exfiltrated customer data have accumulated.