Minimum Viable Company: How Retailers Can Stay Operational When Cyber Attacks Hit Peak Trading

Darren Thomson
Christmas reindeer decoration inside a modern building.

It goes without saying that for retailers, Black Friday and Christmas are among the most demanding trading periods of the year, putting intense pressure on everything from e-commerce and payments to logistics, inventory systems, and a myriad of other processes.

These peak periods have also become important to cybercriminals, who consistently exploit moments of maximum public attention and operational strain. The reason is quite simple: seasonal spikes amplify the impact of any disruption because downtime directly translates into the bottom line, and retailers are acutely sensitive to the consequences of a breach.

Recent attacks on UK retailers, M&S arguably being the most egregious recent example, demonstrate how quickly critical services can collapse when core systems are compromised. Even when the retailer itself is not the original target, supply chain breaches or supplier-level weaknesses can translate into frontline disruption at the worst possible moment.

Indeed, many retail outages are not caused by a direct attack on the retailer but by disruption elsewhere in their supply chain. The most common weak points are compromised suppliers, cloud platforms, logistics and fulfilment partners, telecoms providers, identity services such as Active Directory, and payment processors.

To an extent, the weaknesses are systemic. Retail is built on tightly coupled, real-time systems. A single upstream failure – whether from IT outage, data loss, or cyber intrusion – can freeze online orders, block payment authorisation, disrupt stock visibility, and delay replenishment and fulfilment.

The widely reported disruption at M&S illustrates how deeply such a failure can affect a retailer’s operations. While the company has acknowledged a security incident, the full forensic details remain private – including whether AD credential data (such as an NTDS.dit backup) was exfiltrated.

If attackers were to obtain AD credential data and thus compromise the organisation’s Active Directory, they could in theory spread rapidly across networked systems, disrupt authentication and access, and cause widespread operational failure. That scenario remains one of the most severe risks for organisations with legacy, tightly coupled infrastructure – particularly retail chains with real-time online ordering, payment, and inventory management.

This kind of incident is bad news at any time of year but especially damaging during peak periods when dependency on partners, transaction volume, and system interconnectivity are at their highest. Unfortunately, this kind of collateral damage is no longer exceptional; it has become a predictable risk that impacts even well-defended retailers.

The Minimum Viable Company approach

M&S are far from alone in having to deal with these situations, so what’s going on behind the scenes to leave so many big brands exposed?

Related:   Video Byte: Expert Predictions for 2023 - Part 2

Fundamentally, many retailers still focus primarily on prevention measures such as firewalls, access controls, and user awareness. While these measures are necessary, they are no longer sufficient given today’s threat environment and the speed at which attacks propagate across interconnected retail systems.

The practical reality is that no system is entirely secure, and as a result, the key operational question needs to shift from whether an attack can be prevented to how quickly a retailer can resume safe operations after an incident has been uncovered. In this context, recovery capability has become a much more strategic asset for retailers, particularly when every hour of downtime directly impacts revenue.

It’s also important to appreciate that recovery isn’t just about having a backup because, used in isolation, it doesn’t guarantee continuity. Instead, it depends on having access to clean, malware-free backups, with the use of cleanrooms providing a controlled environment for safely restoring critical systems without reintroducing hidden threats into production.

Forensic analysis is also needed to understand how an intrusion occurred, which weaknesses were exploited, and how to prevent similar incidents in the future. For the retail sector, this represents a shift in approach, where resilience depends not just on technology but also on strong planning, good governance, and very well-rehearsed recovery processes.

Building a better mitigation and recovery strategy is also about embracing a shift in business philosophy that prioritises operational survival. Think of it this way: many retailers struggle during an incident because they have not identified the core systems needed to keep trading. These essential elements are often referred to as the Minimum Viable Company (MVC), or the minimum set of services the business needs to operate at a basic level.

This can include components such as authentication and identity services, payment systems for in-store and online transactions, finance and key operational systems, and a range of other ‘mission-critical’ processes. The point is that recovery efforts must prioritise restoring these systems before anything else, so the business can continue operating.

Put simply, in the event of a breach, a fully defined and tested MVC plan can significantly shorten downtime and help stabilise operations while broader recovery work can continue. For businesses unfortunate enough to learn the hard way, adopting the MVC concept is likely to be one of the main positives to emerge from an otherwise highly disruptive experience.

Leave a Reply

Your email address will not be published. Required fields are marked *