Nearly a third of all devices used in retail stores are running operating systems that are four or five generations behind current releases, according to data from Omnissa’s State of Digital Workspace 2026 report. The analysis, drawn from millions of enterprise devices, identifies retail as one of the weakest sectors for system updates, with many machines tied to older inventory and store management software that cannot easily be upgraded.
Why retail devices are so outdated
The root cause lies in the patchwork of legacy technology that retailers rely on to keep stores running. Point-of-sale infrastructure, stock control systems and back-office software are often deeply embedded, years old and no longer supported with security patches. Upgrading the operating system would demand replacing or rewriting these applications, a costly and disruptive process that many retailers avoid. Omnissa’s report notes that this creates a “shadow perimeter” of unpatched devices, making it harder for IT teams to maintain visibility and control. Matt Coppinger, chief technology officer at Omnissa, said: “When systems fall several versions behind, it creates weak points across payments, inventory and frontline operations. It also makes life harder for store staff, turning simple tasks into slower, more frustrating processes.” Research from PureCyber estimates that cyber-attacks on the retail sector rose by 34% in 2025 compared with the previous year, and ICO data shows a clear upward trend in reported incidents — from 751 in 2019 to 2,736 in 2024. Despite this, a UK government survey found that 44% of retail businesses treat cyber security as a low priority, compared with 27% of businesses overall. Only 22% of retail firms had a board member responsible for cyber security, significantly fewer than in finance or information and communications sectors. The same survey found that 70% of retail organisations were using outdated software, 80% had email security vulnerabilities, and 58% were exposed to ransomware risk.
Unsanctioned AI usage surges
Alongside the operating system lag, the Omnissa report highlights a near-1,000% year-on-year surge in the use of AI assistants on work devices. Staff are increasingly turning to consumer tools such as ChatGPT and Gemini outside formal IT oversight, a trend the report describes as feeding the “shadow perimeter”. The scale of the shift is stark: across the millions of enterprise devices analysed, AI assistant use has exploded, yet only 24% of businesses that use AI have specific cyber security practices in place to manage the risks, according to the government’s Cyber Security Breaches Survey. This gap leaves retailers exposed to data leakage, compliance breaches and the introduction of malicious code through unsanctioned AI tools.
Cyber risks already materialising
The vulnerability of the retail sector is underscored by a series of high-profile cyber incidents. Marks & Spencer suffered a significant attack over the Easter weekend of 18–21 April 2025, linked to the Scattered Spider hacking collective, which exploited weaknesses via a third-party tech supplier. The attack disrupted in-store contactless payments, online shopping and click-and-collect services, and led to a 46-day online outage. Personal customer data — including contact details, dates of birth and online order history — was compromised, although usable card or payment details and passwords were not. M&S later reported an estimated £300 million hit to profits and a potential £400 million impact on earnings. WHSmith was also targeted, with hackers accessing data belonging to current and former employees. More than 12,500 staff had their names, addresses, dates of birth and national insurance numbers exposed; banking details were reportedly not accessed. The company stated that customer data is safe as it is stored on separate systems. It was WHSmith’s second cyber-attack, following an incident affecting its Funky Pigeon website in early 2023. The Works experienced a ransomware attack in April 2022 that forced the temporary closure of some stores, suspended new stock deliveries and extended online order delivery times. The company said no customer payment details were compromised as those are processed by third-party networks, and it informed the Information Commissioner’s Office. The National Cyber Security Centre reported that it dealt with a doubling of “nationally significant” cyber-attacks between September 2024 and September 2025, and the M&S incident prompted government action. In response to the rising threat, the UK government has launched a £16 million package and a new software security code of practice aimed at bolstering retail cyber defences. The Omnissa report recommends real-time, contextual observability across devices, applications and security as the way forward, allowing teams to understand device health, prioritise updates and reduce disruption rather than relying on static reports or assumptions. The average cost of a cyber breach for retail businesses in 2025 was estimated at $3.54 million.
