AQA A-level Business | Unit 3.3.4 Managing Risk

Firewall

Cyber security is not an IT problem you can switch off. It is a business risk you manage.

In 2025, a wave of cyber attacks hit some of Britain's best known retailers. Websites went dark for weeks, tills stopped working, and customer data was stolen. For a business that sells both online and on the high street, a single bad day can cost hundreds of millions of pounds and dent a reputation built over decades.

The uncomfortable truth: you can lower the chance of an attack, and you can soften the blow when one lands, but you can never make the risk zero. So how do you manage it?

Gita Locke
Head of Risk, Hartwell's
"Hope is not a plan."

Your role. You are the new Cyber Security Risk Manager at Hartwell's, a much loved retailer with 280 stores and a busy online shop. Gita has hired you and will guide you. Your job comes in two parts: decide how much to spend keeping the business safe, then, when (not if) trouble comes, lead Hartwell's through the crisis.

Gita: "Welcome aboard. The board treats cyber security as money down a drain, because nothing has gone wrong yet. That is exactly the trap. Your job is to be ready for the day it does. Can you judge how much protection is enough, and hold your nerve when the worst happens? Let's find out."

Hartwell's, Gita Locke and the colleagues you will meet are invented for this activity. The events are based on real things that have happened to large retailers.

Data sources & notes

The scenario draws on publicly reported cyber attacks on major UK retailers in 2025. For context: one well known retailer had online orders suspended for roughly six weeks, reported around £300 million in lost operating profit and over £100 million in one off response costs (partly offset by about £100 million of cyber insurance), and saw a rival pick up displaced shoppers. Industry research (NFU Mutual) reported that roughly 63% of retailers had been hit by cyber crime. Figures are approximate and used only as neutral, illustrative context; no business is portrayed unfavourably. Example data, as of June 2026.