Tesco’s online services were unavailable for much of this weekend following an attempt to ‘interfere’ with its IT systems. Since a high-profile data breach at its banking subsidiary in 2016, the retail giant has sought to reassure investors of the efficacy of its cybersecurity risk governance measures. Although the company says that no customer data was exposed in the incident, the disruption to Tesco’s online services is a reminder that cyber risk management is still a work in progress, even for the world’s largest organisations.
Tesco app outage: how the UK retailer manages cyber risk
Thousands of Tesco customers were unable to place orders on its grocery website and app from Saturday morning until Sunday afternoon, according to reports. “We’ve been experiencing disruption to our online grocery website and app,” the company said in a statement yesterday. “An attempt was made to interfere with our systems, which has caused problems with the search function on the site.”
“There is no reason to believe that this issue impacts customer data and we continue to take ongoing action to make sure all data stays safe,” it said.
The services were back up and running on Sunday evening. “Our teams have worked around the clock to restore service,” Tesco said. Customers were told they may need to join a ‘virtual waiting room’ to manage the flow of traffic, according to The Guardian. However, some Twitter users have complained of continued issues with the app today (Monday).
This is not the first cybersecurity incident to hit the retail giant. In 2018, Tesco was fined £16.4m by the Financial Conduct Authority over its failure to protect customers of its banking subsidiary against a cyberattack in 2016. Hackers stole £2.3m from Tesco Bank customers by exploiting a vulnerability in its debit cards. The FCA ruled that Tesco Bank had failed to respond to “a very specific warning that [it] did not properly address until after the attack started”.
Since then, Tesco has documented its cybersecurity governance practices in its annual financial reports. In its 2019 report, for example, the company revealed that its board had “received training on the dynamic threat posed by cyber risks and discussed emerging Group risks and Red Team Testing”.
The report also mentioned risk mitigation measures including an “established team to detect, report and respond to security incidents in a timely fashion”, “a third-party supplier assurance programme focusing on data security and privacy risks”, and “regular reporting on progress of the security and privacy programmes to governance and oversight committees”.
Tesco’s financial report for 2020 revealed that it had implemented “next-generation behaviour-based anti-virus and malware solutions, data and payment encryption and threat detection tools help us reduce the likelihood of being compromised”.
Clearly, though, these measures have not eliminated the risk of disruption from cybersecurity threats. And while it might not be possible to entirely negate these threats, a consultation by the UK government in 2019 revealed that there is ample room for improvement in the UK private sector.
Why do UK companies still struggle with cyber risk?
The consultation, led by the Department of Culture, Digital, Media and Sport, invited experts to identify the chief barriers to undertaking effective cyber risk management by UK businesses. The most common of these was the complexity and insecurity of the digital environment, as identified by 77% of respondents. They highlighted both the “constantly evolving digital landscape” and the fact that digital products, services and processes “are becoming increasingly integrated with other organisations” as risk factors.
Respondents also flagged a lack of capacity and knowledge (73%) and a lack of a commercial rationale (71%) as barriers, although the latter was less common among respondents from large organisations. Nearly two-thirds (63%) said the costs of cyber risk management outweigh the apparent benefits. "Organisations find it difficult to justify these budgets as they cannot prove there is a return on investment," DCMS said in its response to the consultation, "particularly as they lack data or evidence that would enable them to better justify investment".
Other hurdles to effective risk management include a lack of incentives to support organisations when protecting themselves online and insufficient regulation to compel them to manage their cyber risk more effectively.
The consultation also examined the information that organisations need in order to manage cybersecurity risks. This revealed that information about the impact or harm cyber incidents might cause is most important when making cybersecurity investment decisions, followed by information about mitigation activities and their associated costs, and information about vulnerabilities.
However, 86% of respondents agreed that a lack of information about the direct and indirect impacts of cybersecurity incidents is a severe or moderate barrier to effective risk management. Reasons why companies cannot gather the information they need include information failures, such as information overload or, at the other end of the spectrum, a lack of sharing; a lack of knowledge; and a lack of resources. The majority of respondents agree that the information used in cybersecurity risk management decisions should be standardised.
Lastly, the consultation asked experts how senior executives could be encouraged to take more responsibility for cybersecurity. Perhaps unsurprisingly, the most common answer, with 45% of respondents, was "more regulation". "This included suggestions of mandating accountability including board members being directly accountable for cybersecurity or having a chief information security officer (CISO) on the board, establishing director liability and compelling organisations to provide additional information through corporate reporting," DCMS said in its response.
A 2018 investigation by Deloitte found that, at the time, only 8% of FTSE 100 companies had a board member with cybersecurity expertise. While Tesco Bank has a CISO, appointed in October 2018, its parent company does not. None of the profiles of its board members mentions cybersecurity expertise.