What threatens store data and where to start protection
The database with products, customers, and sales history for a store has the same value as the goods on the shelves. It can be lost in a single evening: due to ransomware, a stolen password, or an employee's mistake. In this article, we analyze which threats are relevant to Ukrainian retail in 2026, what to do during an incident, and how to set up protection without an IT staff.
If the attack is happening right nowDisconnect the affected computer from the network and the Internet (unplug the network cable, turn off Wi-Fi), but do not turn off the power. Do not delete files, do not run "treatment", and do not connect the backup drive. Record what you see on the screen (take a photo) and contact a specialist. You can report the incident to CERT-UA: incidents@cert.gov.ua, +38 (044) 281-88-25.
Why this applies specifically to small stores
The common belief that "we are too small to be attacked" is not true. According to the Verizon DBIR 2025 report, ransomware was present in 88% of breaches in small and medium-sized businesses versus 39% in large companies. The reason is simple: small businesses rarely have a dedicated IT specialist, updates are installed irregularly, and backups are often stored on the same computer as the primary data.
The Ukrainian context adds risks. According to the State Service of Special Communications, in 2025 CERT-UA processed almost 6,000 cyber incidents, and the number of enemy attacks increased by 37% compared to the previous year. In the analytical report for the second half of 2025, CERT-UA notes that attackers increasingly seek to gain long-term covert access to systems and attack the personal mailboxes of employees to bypass corporate email protection.
For a store, the consequences are the same regardless of who attacked: the cash register doesn't work, inventory balances are unknown, and debts to suppliers and customer orders have to be restored from memory.
Main threats to the store
Ransomware
Malware encrypts files on the computer and in accessible network folders, and then demands a ransom for decryption. The employee sees that documents and the database do not open, and a payment demand appears on the screen or in files. For a store, this means stopping sales: without the database, there are no prices, inventory balances, or settlement history. According to Verizon DBIR 2025, the median ransom paid was $115,000, while 64% of affected organizations refused to pay. Payment does not guarantee data return, so the main defense against ransomware is a valid backup created before the infection.
Password and data theft
A separate class of malware (infostealers) covertly collects passwords, cookies, and documents saved in the browser. The employee sees nothing: the computer works as usual. After some time, the stolen data is used to log into email, banking, the online store admin panel, or the accounting software. Hence the rule: passwords for critical services should not be saved in the browser on the cash register computer.
Phishing
Attackers send emails or messages disguised as a bank, delivery service, supplier, tax office, or marketplace. The goal is to force you to click a link to a fake website and enter your login, password, or card details. The Cyberpolice notes that scammers create copies of bank and marketplace websites to gain access to other people's accounts. A fake address is betrayed by extra letters or numbers in the domain, so the website address must be checked before entering data.
Work account hacking
Email, store social media pages, marketplace accounts, and messengers are also business assets. A hacked account is used to send fraudulent messages to customers on behalf of the store or to resell access. To protect accounts, the Cyberpolice advises using strong passwords and two-factor authentication.
Attacks through contractors and software
A store is connected to dozens of external services: a bank, payment systems, delivery services, marketplaces, website hosting, and IT contractors with remote access. According to Verizon DBIR 2025, the share of breaches involving third parties doubled over the year. Practical conclusion: every contractor's access must be personalized, time-limited, and disabled immediately after the work is completed.
| Threat | How it enters the store | What suffers |
|---|---|---|
| Ransomware | Email attachments, hacked remote access, pirated software | Database, documents, cash register operation |
| Password theft | Infected file, malicious browser extension | Email, banking, website admin panel, social networks |
| Phishing | Email or message with a fake link | Money in accounts, card data, accounts |
| Account hacking | Weak password, lack of two-factor authentication | Reputation, customer base, online sales |
| Attack via contractor | Permanent remote access, shared passwords | The entire store infrastructure |
How attackers get into store computers
The main penetration vectors into small businesses are well known and repeat year after year:
- Email and messengers. Attachments named "invoice", "reconciliation act", "resume", or links to a "document". This is the cheapest method for an attacker, making it the most common.
- Open remote access. Attackers find direct RDP access to the server from the internet via automated scanning and guess the password.
- Pirated software and "activators". Malicious code is often installed along with cracked software.
- Flash drives and external drives. A storage device that has been on an infected computer transfers the malware to the cash register computer or server.
- Store Wi-Fi. If the guest network for visitors is not separated from the work network, anyone within the router's range can access work computers.
- Employees' personal emails. CERT-UA records the sending of malicious emails directly to personal emails, which employees also access from work computers.
Typical mistakes that make an attack possible
Based on the analysis of real incidents, CERT-UA has named the most typical mistakes of organizations that make attacks successful:
- lack of multi-factor authentication — a stolen password immediately gives full access;
- unsecured remote access — RDP and administrative interfaces are open to the entire internet instead of specific users and addresses;
- lack of system isolation — compromising one computer allows the attack to spread across the entire network;
- employees working with administrator privileges in daily tasks;
- backups on the same computer or a permanently connected drive — ransomware destroys them along with the main data.
To this list, we should add organizational mistakes typical of retail: one shared password for all cashiers, passwords on sticky notes near the cash register, fired employees with retained access, and the lack of a responsible person to oversee the above.
What to do during an incident
The sequence of actions depends on the type of attack, but the general logic is the same: stop the spread, preserve evidence, involve a specialist, and recover from a verified backup.
- Isolate affected computers. Unplug the network cable and turn off Wi-Fi on the computer showing signs of infection. This stops the encryption of network folders and the transmission of stolen data.
- Do not turn off the power unnecessarily. Data useful for analysis and recovery may remain in the RAM.
- Preserve evidence. Take photos of messages on the screen, save the suspicious email, and record the time of events. This will be needed by specialists and the police.
- Change passwords from a clean device. Email, banking, website admin panel, social networks — in that order. Passwords should be changed from a phone or a computer that was definitely not infected.
- Notify the bank. If there is a suspicion that payment data has been compromised, contact the bank to block transactions.
- Involve specialists. Notify your IT contractor. A cybercrime report can be submitted to the Cyberpolice, and the incident can be reported to CERT-UA.
What not to do
- Do not pay the ransom immediately. Payment does not guarantee decryption and marks the business as a "paying victim" for repeat attacks.
- Do not connect the backup drive to the infected computer — the backup will be encrypted along with the rest of the data.
- Do not reinstall the system or format the drives before consulting a specialist: evidence and possibly the chance to recover files will disappear along with the system.
- Do not run random "decryptors" from the internet — new malware is often disguised as them. Free verified decryptors for some ransomware are published by the Europol project No More Ransom.
- Do not hide the incident from employees working with the affected systems: they need to know what they cannot use.
How to restore operations after an attack
Technical recovery is performed in the following order:
- A specialist determines how the attacker got into the system. Without this step, the restored system will be hacked again in the same way.
- Affected computers are cleaned or the system is reinstalled from scratch. In its report for the second half of 2025, CERT-UA emphasizes that superficial recovery is not enough: without deep cleaning of systems, organizations remain open to repeat attacks.
- All passwords that could have been compromised are changed, and multi-factor authentication is enabled.
- Data is restored from a functional backup created before the breach. The backup is first checked on a separate computer.
- The discovered attack vector is closed: software is updated, remote access is restricted, and role settings are modified.
Prevention: a protection plan for the store
The UK National Cyber Security Centre, in its small business guide, boils protection down to five areas: backups, malware protection, device protection, passwords, and anti-phishing. Below, these areas are adapted to the realities of a Ukrainian store.
Protecting the server with the accounting software
The Torgsoft server is usually a Windows computer running the software and the database. Basic rules for it:
- use this computer solely for running the accounting software: no email, messengers, web browsing, or installing third-party software;
- install Windows and antivirus updates regularly, according to a schedule;
- work under an account without administrator privileges; administrator privileges should be a separate account with a separate password for settings;
- disable flash drive autorun and restrict their use on the server;
- in the accounting software itself, configure roles: the cashier sees only what is needed for their shift, while reports, warehouse balances, and customer data are available only to the owner or administrator. In Torgsoft, there are role settings and access restrictions for this purpose.
Remote access
- do not open direct RDP access to the server from the public internet;
- provide remote access via VPN or remote support software, individually for each person, with multi-factor authentication if the service supports it;
- enable access for the contractor only for the duration of the work and disable it upon completion;
- keep a list of who, from where, and to what has remote access. Review it quarterly and after each dismissal.
Passwords and two-factor authentication
- each employee has their own account and password in Windows and in the accounting software;
- passwords are long and unique for each service; a password manager is convenient for storing them;
- two-factor authentication is mandatory for email, banking, the website admin panel, marketplace accounts, and social networks;
- access of dismissed employees is disabled on the day of dismissal.
The 3-2-1 backup rule
The 3-2-1 rule means: three copies of data, on two different types of media, with one of the copies off-site (in cloud storage or on a drive in another building). A copy on the same computer protects against accidental file deletion, but not against ransomware, fire, or hardware theft. CERT-UA in its recommendations specifically emphasizes storing backups on separate data storages.
For the Torgsoft database, set up daily database archiving. Automatic copying of the archive to cloud storage is performed by the "Archive to Cloud" option: a copy is created on a schedule and stored outside the store.
Test recoveryA backup is considered functional only after verification. Once a quarter, deploy the database archive on a separate computer and ensure that the program opens and the data is current. Record the date of the check and how long the recovery took.
Torgsoft technical support will help install the software on a new or cleaned computer and deploy a valid database backup. Support cannot decrypt files damaged by ransomware: restoring requires a healthy copy created before the infection. That is why daily archiving and storing a copy off-site is the owner's responsibility.
Who is responsible for what
Protection works when a specific person is responsible for each area. For a store without a full-time IT specialist, the distribution might look like this:
| Area | Responsible | Frequency |
|---|---|---|
| Backups and their verification | Store owner or administrator | Copies daily, test recovery quarterly |
| Windows and software updates | IT contractor or administrator | Monthly |
| Reviewing access and roles | Owner | Quarterly and after each dismissal |
| Contractors' remote access | Owner or administrator | Enable for the duration of the work |
| Employee phishing briefing | Owner or administrator | During onboarding and every six months |
| Incident response | Owner together with IT contractor | According to a pre-planned schedule |
Employees are not punished for a mistake they reported themselves. Otherwise, next time, the owner will be the last to know about a suspicious email or strange computer behavior.
Store owner's checklist
- The database is archived daily, and one copy is stored off-site.
- Test recovery from the archive was conducted within the last three months.
- The server with the accounting software is used solely for running the software.
- Direct RDP access to the server from the internet is closed.
- Every employee has their own account without administrator privileges.
- Two-factor authentication is enabled for email, banking, website, and social networks.
- Roles in the accounting software limit cashiers' access to reports and customer data.
- Guest Wi-Fi is separated from the work network.
- There is a list of all remote accesses, and accesses of dismissed employees are disabled.
- Employees know who to report suspicious emails and glitches to.
- Emergency contacts are recorded: IT contractor, bank, Cyberpolice, CERT-UA.
Main conclusionAbsolute protection does not exist, but most attacks on small businesses exploit the same vulnerabilities: weak passwords without a second factor, open remote access, and backups stored next to primary data. By addressing these three points, the store eliminates the most likely data loss scenarios.
Sources
- State Service of Special Communications. CERT-UA processed almost 6,000 cyber incidents in 2025
- Analytical report CERT-UA "Cyber Threats: Ukraine" for the second half of 2025 (review by the Cabinet of Ministers of Ukraine)
- CERT-UA. The most typical mistakes of enterprises and organizations during cyberattacks
- Recommendations of the State Cyber Protection Center on enhancing the protection of information systems
- State Service of Special Communications. How CERT-UA responds to cyber incidents: from reporting to consequence elimination
- Verizon. 2025 Data Breach Investigations Report: key findings
- Verizon 2025 Data Breach Investigations Report (full report, PDF)
- NCSC. Small Business Guide: Cyber Security
- Cyberpolice. Fraudulent schemes and how to protect yourself in the digital world
- Cyberpolice. Phishing and fake accounts: how to protect yourself from internet scammers
- The No More Ransom Project (Europol and partners)

Go back to the previous step