Retailers prepare for ransomware threats

Incident response exercise convened NRF members to share insights and best practices
VP, Retail Technology & Cybersecurity; Executive Director, Center for Digital Risk & Innovation

Learn more about key ways to mitigate cyber risks at NRF PROTECT 2022.

In May 2021, Colonial Pipeline was hit by a ransomware attack that led to a fuel shortage in the eastern United States for several days. Cyberattacks of this nature — that encrypt and block access to companies’ digital assets, then offer to restore access if a “ransom” is paid — have been occurring for more than 30 years. The Colonial Pipeline incident brought a renewed focus to the long-standing threat; in June, the White House issued a strikingly direct open letter to the private sector calling for greater action by businesses to prevent ransomware attacks.

Every business sector faces risks of ransomware attacks. The risks to retail include disrupted in-store operations or online sales fulfillment and being locked out of inventory management or financial systems. In more recent cases, ransomware attackers are carrying out a “double extortion” scheme — stealing companies’ valuable information and threatening to sell it or release it publicly if the ransom is not paid.

Retailers need to undertake measures to prevent ransomware attacks, including training employees about phishing emails and increasing the use of multi-factor authentication for information systems. They also need to ensure they have secure and up-to-date backups of critical systems and data; if companies have backed up their data, they are less vulnerable to the pressure to pay a ransom.

Retailers can also hold incident response exercises — involving all parts of leadership, not just cybersecurity teams — and ask the questions they will face under time pressure during a ransomware event: How do I determine the scope of a potential attack, and how can I validate this information? Who should I contact externally when an incident takes place? How do I handle customer and media inquiries? What factors should I consider in deciding whether or not to pay the ransom?

On September 17, NRF held a ransomware incident response exercise in partnership with The Chertoff Group to go through a detailed scenario that forced participants to think through these difficult questions. More than 120 retail leaders from NRF member companies, working in security, technology, legal, finance and communications roles, participated in the exercise and shared candid insights on ransomware preparations and how they might address such questions.

There is no foolproof way to prevent ransomware. Attackers are constantly innovating new types of attacks, including software supply chain attacks on third-party IT systems. But exercises like this can help companies to be better prepared and realize that they are not in this fight alone. Even companies that are direct retail industry competitors have a shared interest in preventing and disrupting ransomware.

NRF held this exercise as part of its broader commitment to help the retail industry address cybersecurity challenges — a commitment it fulfills through the ongoing dialogue within its IT Security Council, through its cyber-threat sharing portal (the NRF Cyber Risk Exchange), cyber-related content at events like NRF PROTECT, and engagement and advocacy on cyber policy issues. If you are interested in learning more about these activities, you can reach out to NRF at

Related content

How to adopt a hacker’s mindset: A study in curiosity, creativity
Ted Harrington speaking at NRF PROTECT.
NRF PROTECT: Ethical hacker Ted Harrington on building more secure systems.
Read more
3 key learnings from NRF PROTECT 2024
How retail security professionals stay ahead of risk.
Read more
Addressing a polycrisis environment of theft, threats and risks
Shopper exiting store.
NRF PROTECT focuses on an all-risk approach to current and future issues impacting retail’s threat landscapes.
Read more