Q&A with Cybersecurity Expert Ravi Sharma

Manufacturers, suppliers, brand owners and retailers are facing cybersecurity challenges that can impact their shared goal: getting products to market quickly. The constant threat of cyberattacks, combined with new regulations designed to protect users and data, may slow down the cycle of innovation and threaten supply.

Ravi Sharma, a UL Solutions cybersecurity expert with a rich background in helping secure operations for retailers and payment systems, explains how retail stakeholders can address vulnerabilities by acting now.

In 2025, the retail ecosystem was pummeled by cyber incidents, ransomware attacks and data leaks, including high-profile incidents impacting suppliers, retailers and, most importantly, customers. Why are we seeing such an escalation?

That’s right — 2025 was a difficult year for cybersecurity throughout the retail ecosystem. Cyberattacks disrupted supply chains, resulting in empty grocery store shelves and in the case of one company, a $400 million (USD) profit loss.

That’s because supply chains are more complex than ever, with so many weak points. Every factory, supplier, warehouse and retail outlet is connected by networks that might be unsecured, staffed by workers using tablets and other technology with logins that can be cracked and allow cyberattackers access. At the same time, the omnichannel retail evolution means that consumers are exposing financial data via physical credit cards at the store, in-app transactions, online and social media marketplaces, and beyond.  

There are many points where data can be exchanged between suppliers, manufacturers, retailers and consumers, and this is combined with inconsistent or even insufficient levels of cybersecurity infrastructure, regulations and training. These increased numbers of incidents are unfortunate but not unpredictable.

What are the biggest cyberthreats in the retail ecosystem?

Common cybersecurity incidents include social engineering or man-in-the-middle schemes, including impersonation and phishing, that exploit people to gain access to confidential systems. When bad actors gain access, they can steal (new product designs, financial information, personally identifiable information, etc.) or make costly ransom demands.  

Often, we hear stories in the media about phishing attacks that target cardholder accounts, but they can occur anywhere throughout the retail ecosystem, including the supply chain and the retail environment, by exploiting vulnerabilities in point-of-sale, inventory and logistics software or through human error.  

 
How should the retail ecosystem prioritize cybersecurity, without slowing down the supply chain or innovation cycle?

Everything starts with risk management. By understanding where vulnerabilities exist, retail stakeholders, whether suppliers, manufacturers, store managers, etc., can make proactive choices that help create a strong, multi-layered approach to cybersecurity that fulfills regulatory requirements, anticipates new challenges, and protects both consumers and the brand.  

My team of cybersecurity experts works with manufacturers and brand owners to establish a rigorous baseline of overlapping requirements informed by current cybersecurity threats plus new regulations on connected products like the EU’s Radio Equipment Directive (RED) or Cyber Resilience Act (CRA) and consumer-privacy protections such as the California Consumer Privacy Act (CCPA) or the EU’s General Data Protection Regulation (GDPR). 

When it comes to data integrity, what are a few core ways to safeguard the exchange of data among supply chain partners or throughout the retail ecosystem? 

Ultimately, data should be available on a case-by-case basis in which only specific information is exchanged with a trusted supplier or retailer, rather than exposing additional data unnecessarily. A more selective data exchange helps minimize risk but depends on comprehensive data classification. All too often, data classification isn’t possible because many supply-chain activities and data remain paper-based. Until more widespread digitalization is achieved, it’s difficult to support limited, encrypted data exchange.

As AI-based tools grow in importance, how should the retail ecosystem think about embracing these offerings at scale?

This touches back to our last topic, regarding data classification. AI and machine-learning models could certainly help classify data and seamlessly and automatically encrypt and transmit the appropriate information among a set of suppliers and retailers, similar to a software patch. This way, supply chain data, such as license agreements and product documentation, can update instantly, without impacting time to market or compliance.

AI can also support enhanced warehouse and inventory management. AI is used to model scenarios around product shortages, data breaches or consumer trends, and then proposes solutions that help suppliers and retailers prepare for those situations. Fewer empty shelves and cyberattacks — that could be the future for retail if AI is used optimally and more broadly.

How can training (whether that’s for employees, partners, etc.) play a role in advancing cybersecurity?

Training is critically important for all these groups and can emphasize how everyone plays a crucial role in supporting cybersecurity, protecting their company and, ultimately, the consumer.

For suppliers and manufacturers, training should focus on risk management, informed by a comprehensive risk management matrix. For example, these stakeholders need to understand per-product risks and whether the product has been tested and validated according to your requirements.

Training for frontline retail employees should focus on the systems they use daily. Baseline cybersecurity training must be tailored to payment systems, inventory management and other role-relevant technology. Also, in many stores, connected devices are on display for consumers to experience, which presents a cybersecurity risk because what’s stopping someone from plugging in a USB stick and planting ransomware?  

Employees also need to understand the products on the store shelves, especially for connected devices. Every employee should understand product capabilities, whether they received third-party testing, and any certifications or verifications related to cybersecurity performance. And retailers need to have training regarding regulatory requirements. For example, understanding RED requirements and checking for RED certification is now mandatory in the EU.

Let’s focus on RED. What do retailers need to know?

RED now includes Articles 3.3(d), (e) and (f). These articles focus on cybersecurity in devices with radio capabilities (Wi-Fi, Bluetooth, cellular), specifically network protection, personal data and privacy protection, and financial fraud.  

As of August 2025, all connected products sold in the EU, including retail products and point-of-sale systems that handle financial data, must demonstrate compliance with RED. There are serious penalties for noncompliance, including recalls, loss of market access and customer trust.  

Manufacturers need to gain a thorough understanding of RED requirements and how to make changes during product development. Conceptual assessments, physical and functional testing can provide a roadmap for compliance and produce reports ready for your technical file or for the certification process.

Let’s talk holistically: what should manufacturers in the retail ecosystem do to strengthen their cybersecurity posture?

I think this is a great way to discuss the challenge of cybersecurity in the retail space, because it impacts every part of the retail ecosystem.

When it comes to product design and development, we highly recommend incorporating Security by Design principles that integrate security throughout product life cycle. Not only does a Security by Design approach result in more robust protection, but it can also help advance compliance activities and get to market faster, with less risk of recall. For example, we worked with a name-brand manufacturer to develop their cybersecurity framework and support baseline security assurance and support compliance with both retailer and regulatory requirements.

An additional way to support an overarching cybersecurity strategy is through connecting with up-to-date regulatory information specific to your product portfolio. Our software platform, Global Compliance Management, provides a tailored look, while our Global Market Access team provides experienced guidance.

The final piece of a retail-centric cybersecurity strategy is testing, which manufacturers around the world trust us to provide. As more products include connectivity features, cybersecurity is impacting more product categories, from appliances to toys to wearables. Bring us your devices during development. We’ll try to attack them, break them — to help you understand their vulnerabilities.

And what about retailers? How should these important stakeholders support cybersecurity in terms of their product offerings and organizational resilience?

From our work with major retailers, my team and I advise creating and strengthening cybersecurity risk management frameworks that help evaluate which products to stock. For example, when a retailer is selecting products with connected features, IoT capabilities, they should look for (or mandate) those third-party verifications, validations and certifications that demonstrate compliance with cybersecurity requirements. Proactive action can help avoid the hassle of managing product recalls for name-brand or their own private-label products — and support greater consumer trust.