Retailers prepare for ransomware threats

Incident response exercise convened NRF members to share insights and best practices

Learn more about key ways to mitigate cyber risks at NRF PROTECT 2022.

In May 2021, Colonial Pipeline was hit by a ransomware attack that led to a fuel shortage in the eastern United States for several days. Cyberattacks of this nature — that encrypt and block access to companies’ digital assets, then offer to restore access if a “ransom” is paid — have been occurring for more than 30 years. The Colonial Pipeline incident brought a renewed focus to the long-standing threat; in June, the White House issued a strikingly direct open letter to the private sector calling for greater action by businesses to prevent ransomware attacks.

Every business sector faces risks of ransomware attacks. The risks to retail include disrupted in-store operations or online sales fulfillment and being locked out of inventory management or financial systems. In more recent cases, ransomware attackers are carrying out a “double extortion” scheme — stealing companies’ valuable information and threatening to sell it or release it publicly if the ransom is not paid.

Retailers need to undertake measures to prevent ransomware attacks, including training employees about phishing emails and increasing the use of multi-factor authentication for information systems. They also need to ensure they have secure and up-to-date backups of critical systems and data; if companies have backed up their data, they are less vulnerable to the pressure to pay a ransom.

Retailers can also hold incident response exercises — involving all parts of leadership, not just cybersecurity teams — and ask the questions they will face under time pressure during a ransomware event: How do I determine the scope of a potential attack, and how can I validate this information? Who should I contact externally when an incident takes place? How do I handle customer and media inquiries? What factors should I consider in deciding whether or not to pay the ransom?

On September 17, NRF held a ransomware incident response exercise in partnership with The Chertoff Group to go through a detailed scenario that forced participants to think through these difficult questions. More than 120 retail leaders from NRF member companies, working in security, technology, legal, finance and communications roles, participated in the exercise and shared candid insights on ransomware preparations and how they might address such questions.

There is no foolproof way to prevent ransomware. Attackers are constantly innovating new types of attacks, including software supply chain attacks on third-party IT systems. But exercises like this can help companies to be better prepared and realize that they are not in this fight alone. Even companies that are direct retail industry competitors have a shared interest in preventing and disrupting ransomware.

NRF held this exercise as part of its broader commitment to help the retail industry address cybersecurity challenges — a commitment it fulfills through the ongoing dialogue within its IT Security Council, through its cyber-threat sharing portal (the NRF Cyber Risk Exchange), cyber-related content at events like NRF PROTECT, and engagement and advocacy on cyber policy issues. If you are interested in learning more about these activities, you can reach out to NRF at

    Related content

    Retail & Hospitality ISAC and National Retail Federation Partner to Enhance Cybersecurity in the Retail Industry
    default image
    NRF and RH-ISAC partnership to strengthen their collective efforts to improve cybersecurity within the retail industry.
    Read more
    Why retailers need an enterprise-wide framework to manage threats
    PROTECT session
    NRF PROTECT: Practical advice on risk intelligence for those on the front lines.
    Read more
    4 investigative interview methods that create a dialogue and solve retail crime cases
    Wicklander-Zulawski & Associates, Inc.
    NRF PROTECT: Mapping a strategic approach to gaining actionable information.
    Read more