AQA A-level Business | Unit 3.3.4 Managing Risk
Cyber security is not an IT problem you can switch off. It is a business risk you manage.
In 2025, a wave of cyber attacks hit some of Britain's best known retailers. Websites went dark for weeks, tills stopped working, and customer data was stolen. For a business that sells both online and on the high street, a single bad day can cost hundreds of millions of pounds and dent a reputation built over decades.
The uncomfortable truth: you can lower the chance of an attack, and you can soften the blow when one lands, but you can never make the risk zero. So how do you manage it?
Your role. You are the new Cyber Security Risk Manager at Hartwell's, a much loved retailer with 280 stores and a busy online shop. Gita has hired you and will guide you. Your job comes in two parts: decide how much to spend keeping the business safe, then, when (not if) trouble comes, lead Hartwell's through the crisis.
Hartwell's, Gita Locke and the colleagues you will meet are invented for this activity. The events are based on real things that have happened to large retailers.
The scenario draws on publicly reported cyber attacks on major UK retailers in 2025. For context: one well known retailer had online orders suspended for roughly six weeks, reported around £300 million in lost operating profit and over £100 million in one off response costs (partly offset by about £100 million of cyber insurance), and saw a rival pick up displaced shoppers. Industry research (NFU Mutual) reported that roughly 63% of retailers had been hit by cyber crime. Figures are approximate and used only as neutral, illustrative context; no business is portrayed unfavourably. Example data, as of June 2026.
AQA A-level Business | Unit 3.3.4 Managing Risk
Phase 1 of 2 · Before the attackYou have a one off budget of £500,000 to make Hartwell's safer. You cannot afford everything, so spend it where it matters most. Each measure either lowers the chance of a breach getting through, or limits the damage and downtime if one does, or softens the financial blow.
You can push the odds down, but the bar never reaches zero. That residual risk is the whole point: prepare to recover, not just to prevent.
No attack. Sales are good. At the next board meeting, Marcus Penny taps your budget line and smiles.
You hold your nerve. Risk that has not shown up yet is still risk.
Then, on an ordinary Tuesday morning, the week before the summer sale, the phones start ringing.
The website has stopped taking orders. Tills in stores are freezing. Early signs suggest customer data has been taken. The clock is running, and every hour offline costs money and goodwill.
AQA A-level Business | Unit 3.3.4 Managing Risk
The plan you locked in eighteen months ago now decides how bad this Tuesday is.
Four decisions. Each one has a cost and a trade off, shown up front. You will not know how it all lands until you have made your calls.
AQA A-level Business | Unit 3.3.4 Managing Risk
The falloutThis is the reasoning the job runs on. Three moves you just practised:
1. Fit the spend to the firm. A retailer that lives on its website and the trust in its name has far more to lose from downtime and a data leak than a quiet supplier would. Match the protection to what this business actually stands to lose, not to a checklist.
2. Follow the cause and effect. A cheap, tested backup does nothing on a normal day, then saves millions on the worst one. Judge a measure by the disaster it prevents, not the figure on the invoice.
3. Decide which way the balance falls. More prevention means less profit now for less damage later. Going public means a worse headline today for more trust tomorrow. There is rarely a free option. The skill is weighing the trade off for this business, in this moment, and committing to a call you can stand behind.
The big idea: you cannot remove cyber risk, only reduce its likelihood and its impact, and be ready to recover. Under prepare and one attack can be catastrophic. Over prepare and you waste money the business needs elsewhere. Good risk management is proportionate, and being ready to respond matters as much as trying to prevent.