The workaround that made sense at the time
Most retailers deal with the same constraints that most mid-sized businesses face. Technologies change and evolve. Parts of the environment had been migrated to the cloud, while other parts had not. This retailer was not ignoring security. Their e-commerce platform and customer data were in the cloud, but store systems were still tied to older POS technology that could not support modern authentication.
Since MFA could not be applied everywhere, they made a practical decision. They controlled access at the network level. A VPN was required, access was limited to known IP ranges, and systems were segmented where possible. This approach reduced exposure without interrupting operations and it allowed the business to keep moving.
The decision itself was not the problem. The issue was that it was treated as good enough without defining how long it would remain in place.
The business moved forward, the control didn’t
Over time, the environment changed in ways that were not fully tracked back to that original decision. The company added stores. Vendors were brought in to support new systems and integrations. The cloud side of the business expanded and became more tightly connected to store operations.
Access became more complex. More users needed entry points into the environment. Exceptions were made to support business needs. Shared accounts appeared because they were easier to manage than redesigning access properly. The VPN became a central point of trust, even as the number of connections increased.
The control stayed the same while the environment around it evolved. No one reassessed whether it still aligned with how the business actually operated. It became part of the foundation without being questioned.
How a basic compromise turned into full access
The entry point was a third-party vendor account. The credentials were likely obtained through a common method such as phishing or password reuse. The attacker did not need anything advanced. The access already existed.
Once connected through VPN, the attacker was inside a trusted environment. There was no additional identity check tied to that access. The system assumed the connection was legitimate because it came through an approved path.
From there, the attacker had time to move through the environment. They identified shared credentials and looked for ways to move between on-prem systems and cloud workloads. They focused on understanding how systems were connected and where the business depended on uptime. The environment allowed this because trust was based on location rather than identity.
When the ransomware hit, it hit everything that mattered
The attack was not immediate. It was staged in a way that would create the most disruption. When the ransomware executed, it impacted both store operations and cloud systems at the same time. Stores could not process transactions. Inventory data became unreliable. The e-commerce platform went offline.
At that point, the issue was no longer contained to IT. The business could not operate in a normal way. Revenue was directly affected, and every hour of downtime increased the financial impact.
The claim review is where the real damage showed up
After the initial response, the company moved into the insurance claims process. This is where the focus shifted. The insurer reviewed how access was managed before the incident. They looked at whether MFA was enforced for remote access, how identity was controlled across systems, and whether reliance on network-based trust was appropriate for the environment.
The gaps were clear. Remote access did not consistently require MFA. Vendor access was broader than necessary. Shared credentials were in use. The environment relied on network controls where identity-based controls were expected.
From the insurer’s perspective, these were conditions that should have been addressed as the environment evolved. This changed how the claim was evaluated. It was no longer viewed only as an external attack, but as an event influenced by control weaknesses that had remained in place. That created the possibility of reduced coverage or denial.
The financial exposure no one accounted for
The business believed it had taken reasonable steps to manage risk. At one point, that was true. Over time, the environment changed in ways that were not matched by changes in control effectiveness.
That gap created a form of exposure that was not visible day to day. It only became clear when the incident occurred and when the insurer evaluated the controls in place. Insurance is often treated as a backstop, but that assumption depends on controls aligning with current expectations. When they do not, the organization can find itself carrying more financial risk than it intended.
For a CFO, this is not just a security issue. It is a question of whether the organization’s risk posture reflects how the business actually operates today.
What to look at before your insurer does
A practical place to start is identifying controls that were put in place as temporary solutions. These are often the areas where risk has had time to build without being re-evaluated.
Once identified, those controls should be assessed against the current environment. The goal is to determine whether they still provide meaningful protection or whether they have become a point of exposure. If a cyber insurance renewal is approaching, this type of review becomes even more important. It allows the organization to address gaps before they are examined during a claim.
If you are not sure how your controls would hold up under that level of scrutiny, it is worth finding out now. A focused insurability check can provide a clear view of where you are aligned and where you are exposed, before it becomes a financial issue.