Were you aware !
Tesco’s revelation, detailed in its latest 2022 Annual Report, will have other company CEOs immediate thinking, “If Tesco has done that, have we? And if not, why not?” That is probably why company chief information officers (CIOs) and chief information security officers (CISOs) probably received a C-Suite email asking about cybersecurity stress tests this morning.
And no wonder. It’s not every day that a major blue-chip company says it has carried out a cyberattack stress test, and then goes on to point out that a data breach could cost it up to £2.4 billion in fines.
Tesco’s stress test
Some might ask what the difference is between a cyberattack stress test, a vulnerability test, a penetration test and a test of an incident response plan.
Tesco references the stress test in the annual report as part of assessing Tesco Group viability. As well as cybersecurity and data privacy, Tesco also carried out assessments related to macroeconomic downturn, global supply pressures and climate change.
Tesco says the volume and nature of the customer and supplier data it holds as a business could result in a serious data or security breach which sees a significant financial penalty levied against the Group. That would be aligned to the UK General Data Protection Regulation (GDPR) penalty framework and could see a maximum fine levied of 4% of Group revenue. For the purposes of its stress test, Tesco management said it quantified the fine as 2%, the mid-point of any potential maximum fine.
It concluded that a significant data breach poses a reputational risk for Tesco, resulting in a decline in customer sentiment and an adverse trading impact. It argues that the extent of the trading impact is very uncertain, both in terms of the financial impact and the period it may take to recover customer trust. For Tesco, read every major company in every sector.
Remembering the impact of WannaCry five years on
There is little doubt that a cyberattack, whether specifically targeted or not, can bring an organization to its knees.
This month marks five years since the WannaCry ransomware attack in 2017 which had a devastating impact on the National Health Service (NHS) in England.
WannaCry resulted in a 6% decrease in admissions in cyber-infected hospitals, which included 1,100 fewer emergency department (ED) admissions and 2,200 fewer elective admissions in total. The infected hospitals also saw a decrease in the number of emergency department attendances with 3,800 fewer patients seen. There was also a significant impact on the number of outpatient cancellations across the impacted hospitals during the WannaCry week, which resulted in 13,500 appointments being cancelled.
In the wake of the Russia-Ukraine conflict, the cyber threat landscape has markedly increased. A year after another cyberattack anniversary, the Colonial Pipeline ransomware attack in the US, there are very real risks that critical national infrastructure and businesses could face new attacks.
No company or organization is safe from attack, and no CEO should be blasé enough to think ‘it can’t happen to us.’ It can and will. Which is why, even though they’ve probably already carried out those cyber stress tests (they have, haven’t they?), CIOs and CISOs should expect an enquiry email along the lines of ‘What does this Tesco cyber story mean for us?’ A detailed, prompt reply is probably a good idea.
You know, I just wanted to mention that camDown helps stop foreign state actors (FSA's) from accessing your webcam and that's no joke!