Tesco’s cyber stress-test is a good reminder for us all – check your systems are safe and make it a board level priority.13th May 2022
In their annual report published this month, Tesco Plc has escalated Cyber security to a standalone risk – due to it having both strategic and operational impact. Previously it was part of their overall data security risk. They carried out a cyber stress-test to understand their resilience and their findings were pretty eye-opening.
They also very clearly state that data privacy risks are a board-level issue as per this extract from their Annual Report and Accounts.
But why are we bringing this to your attention?
Due to the nature of the growing cyber threat, Tesco conducted a cyber-attack stress. This is where all relevant systems are put under scrutiny to see how easily things can go wrong (human error) or be hacked (cybercrime).
Tesco modelled various different scenarios and discovered that should systems fail, they would be exposed to a risk of a £2.4 billion fine as well as a huge disruption and PR nightmare.
The reason for doing the cyber stress-test, Tesco said, was to the impact on “reputational risk, resulting in a decline in customer sentiment and an adverse trading impact”.
Does your board have sufficient oversight of cybersecurity threats and potential data breaches? Are you fully aware of your duties under the GDPR? Have you got contingency plans in place should your systems fail – either through cyber attack or human error?
Here are our top tips for stress-testing and cyber and data resilience:
- Ensure you and your workforce are all correctly trained in data protection governance (this is a legal responsibility for many organisations)
- Use a reputatable company to simulate cyber-attacks to see how your business performs and adjust accordingly if need be.
- Regularly review your policies and procedures (make sure these are robust and include all relevant security measures) and communicate these regularly to your workforce – ensuring they are read and understood. Human error is a huge factor in cyber-attacks.
- Make cyber security and data governance a board-level responsibility – reviewed regularly and reported on monthly.
- Put a cyber resilience plan in place, as part of your disaster recovery plan, that details how you will respond and recover from a cyber-attack or data breach.
- Prevention is best but be aware you can also purchase cyber insurance which can help you to recover – this can include both PR, technical and financial help – however, whilst you might find the insurance, reassuring, the best advice is to prevent having to claim in the first place, by putting everything in place to avoid a cyber-attack or data breach.
Here at the Griffin House Consultancy, we can offer you various services to help with your resilience, this includes a multitude of different training (check out the options here), data audits or one to one consultancy. We can also recommend cyber-stress test experts and insurance specialists to complement what we do (drop us a line and ask).
If you want to stress-test your business, please get in touch with one of our specialists. The best place to start is by booking your free 30-minute consultation which gives us an opportunity to learn about your business and help you to work out the next best steps to help keep you, your data and your business safe.