Skip to main content

The Threat You Can’t See on CCTV

May 2026 • 5 min read

Physical security keeps your centre safe. But there’s another kind of threat that no security guard can stop, and it’s already targeting businesses like yours.

By Tommy Pell, Director at ITVET

We regularly talk about the people and systems that keep our shopping centres and retail parks physically safe. The security officers, the control rooms, the incident protocols. That layer of security matters enormously, and I’m not here to question it.

But what I want to talk about is the threat that sits just outside that frame. The one that doesn’t show up on CCTV. The one that doesn’t come through a service entrance or trigger an alarm. It arrives in an email inbox. It slips through a Wi-Fi network. It exploits a password that hasn’t been changed since the last manager left.

In many of the security reviews we carry out with centre management teams, this is the part that surprises people most. The breach didn’t begin with sophisticated hacking. It began with something ordinary that nobody thought twice about.

You’re Holding More Data Than You Think

Here’s a question I ask every centre management team I meet: Do you know exactly what personal data your organisation holds?

Most people pause at that. Because when you actually think it through, the answer is quite a lot.

Your guest Wi-Fi almost certainly collects names and email addresses at sign-in. Your loyalty or rewards app, if you have one,  holds customer profiles, visit patterns, and purchase behaviour.  Your marketing platform stores an opted-in database of shoppers who trust you with their contact details.  Your leasing systems hold sensitive financial and legal information about every retailer on site. Your HR systems hold employee records.

That’s a significant amount of personal data. And under UK GDPR, you are legally responsible for every byte of it. Yet many organisations have never carried out a proper audit of where that data sits, who can access it, or how well it’s actually protected.

A data breach isn’t just an IT headache. It’s a regulatory issue, a reputational issue, and for the customers whose information you’ve collected – a very personal one. The ICO has real teeth, and the damage to footfall and trust that follows a publicised breach can far outweigh any fine.

“The data you’ve worked hard to build – your customer app, your Wi-Fi sign-ups, your marketing lists – is exactly what attackers are looking for.”

How It Actually Happens

Forget the Hollywood version of hacking. The reality is far more ordinary – and in many ways, far more unsettling.

The overwhelming majority of breaches start with a phishing email. Someone on your team receives a message that looks perfectly legitimate, from a supplier, from their IT provider, from a colleague. They’re busy. They click the link. They enter their password. And that’s it. An attacker now has a valid login to your systems. In the last year, the majority of cyber incidents we’ve investigated started with a single compromised email account.

From there, they don’t announce themselves. They explore quietly. They look at what you have. They map your network. They find your data. And then, when they’re ready, they make their move – whether that’s locking your systems and demanding a ransom, extracting your customer database, or both.

What makes this worse is that these attacks are becoming more convincing, not less. Attackers are now using AI to write phishing emails that are polished, personalised and completely free of the spelling errors we used to rely on as warning signs. They impersonate senior staff. They manufacture urgency. They understand human behaviour and exploit it deliberately.

And here’s the uncomfortable truth: the basics that would stop most of these attacks in their tracks – multi-factor authentication, proper email security, regular training – are still missing in a huge number of organisations.

When we review environments for new clients, it’s common to find that one or two of these simple protections are missing. Not because anyone ignored security, but because cyber risks evolve quietly in the background while teams focus on running the business.

Picture This

A centre manager receives an email, apparently from their IT provider, asking them to re-verify their account credentials. The email looks right. The branding is correct. The reason sounds plausible. They click through, fill in their details, and get on with their afternoon.

Within 24 hours, an attacker is inside the centre’s systems. Within a week, they’ve found the customer database – tens of thousands of records built up through the Wi-Fi portal and the loyalty app. A month later, there’s a ransom demand: pay, or that data goes public and every customer on that list gets an email explaining that their information was stolen on your watch.

This is not a worst-case scenario I’ve invented. It’s a pattern that plays out regularly, across sectors, including retail and property management. The centres it happens to are not careless or badly run. They just hadn’t got around to closing the gaps.

“The attack didn’t need to be sophisticated. It just needed one person, one busy moment, and one missing layer of protection.”

The Basics Go a Long Way

I’m not going to overwhelm you with a technical checklist here, because the reality is that a small number of well-implemented controls would prevent the vast majority of incidents.

The things that make the biggest difference are also the most straightforward. Multi-factor authentication – the extra step when you log in – stops account takeover attacks even when a password has been stolen. Strong, unique passwords supported by a password manager remove the single biggest vulnerability most organisations carry. Advanced email filtering blocks malicious messages before anyone has the chance to click them. Regular, tested backups mean that a ransomware attack becomes a serious inconvenience rather than a catastrophe.

And then there’s your people. Technology can only do so much. The most effective thing many organisations can do is invest in regular, practical training that helps staff recognise what an attack actually looks like – because it doesn’t always look like an attack. Simulated phishing exercises are particularly powerful here. They build instincts, not just awareness. 

One more thing worth mentioning: your guest Wi-Fi network. If it shares any infrastructure with your back-office systems, that is a risk that needs addressing. Your visitors’ devices should have no path, even accidentally, into your operational environment.

The organisations that handle these risks best treat cyber security much like physical security: something that is regularly tested, reviewed and improved rather than set up once and forgotten.

This Sits at Your Level

The most important shift I’d encourage centre management teams to make is this: stop thinking of cyber security as an IT problem and start thinking of it as an operational one.

You already apply this kind of thinking to physical security. You ask whether your controls are adequate. You test your response plans. You make sure the right people are accountable. Cyber security deserves exactly the same rigour – because the consequences of getting it wrong are just as real.

At ITVET, the conversations we find most valuable always start with risk, not technology. When we sit down with centre management teams, the first step is usually mapping what data exists, how it flows through the organisation, and where the real exposure points sit.

Those are not complicated questions. But in our experience, most organisations haven’t sat down and answered them properly. And that gap between the risk that exists and the awareness of it is precisely where attackers operate.

One simple way to gauge where you stand is to ask a very practical question: if someone on your team accidentally handed over their email password this afternoon, how confident are you that the attacker wouldn’t be able to get any further?

So Here’s the Question

Your centre has security officers, access controls, CCTV coverage, and incident procedures. You’ve thought carefully about the physical risks you face and put serious measures in place to manage them.

But if an attacker sent a convincing email to someone on your team tomorrow morning – could you say, with confidence, that your organisation would stop them? 

For many organisations, simply asking that question is the starting point. A short security review can often reveal where the real risks lie and, just as importantly, how straightforward many of the fixes actually are.

You might also like...

Get in Touch

Our IT services help businesses to run smoothly and securely

  • Blue triangle bullet point

    Rapid resolution times

  • Blue triangle bullet point

    Microsoft Solutions Partner

  • Blue triangle bullet point

    Cyber security experts

  • Blue triangle bullet point

    Tailored IT services to suit your needs

  • Blue triangle bullet point

    Switching to ITVET is easy

  • Blue triangle bullet point

    24/7 IT support from our UK-based team

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    ITVET
    Powered by  GDPR Cookie Compliance
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.