Tesco…what went wrong for the supermarket giant?

Posted 14 December 2021 by Laura

Earlier this year, Tesco’s customers being unable to load their virtual trolleys, book delivery slots or amend their orders, their online systems were back up and running after 48 hours. Tesco said the problem was “because of an attempt to interfere with its systems”. Unfortunately for many, cyber attacks like this are no longer surprising – and without proper care and attention, they will continue to increase.

Sophos’ State of Ransomware in Retail 2021 reported that 44% of organisations in the retail sector were hit by a ransomware attack in 2020. The report found that more than half of those affected (54%) said cyber criminals had succeeded in encrypting their data. And of those retailers whose data was encrypted, 32% paid the ransom to get their data back… with an average ransom payment of $147,811.

With the fast evolution of technology and changing consumer habits, retail businesses spent £186 million on cybersecurity in 2020. But as online shopping continues to grow, and hackers become more and more sophisticated, cold hard cash just isn’t enough. Fancy (not to mention bank-breaking) one-off IT projects just won’t cut it anymore. It’s the careful, considerate and consistent monitoring and management of what you already have that needs your attention, right now.

Every surface helps…
Supermarkets used to be quite simple entities. The attack surface area (the number of access points for unauthorised users to gain access to systems and data) was smaller and easier to protect. But they diversified. They became banks. They became insurance companies. They became healthcare businesses and pharmacies. Operational systems, applications, (highly personal) data, devices, multiple users across multiple sites… it’s fair to say there’s a lot going on within the inner workings of a giant supermarket. And then, to further enable business growth, supermarkets have implemented the latest data-driven technologies. So they’ve been busy collecting huge amounts of data. Huge amounts of big, sensitive data. And using it across a wide surface area. An attractive proposition to even the most suave hacker.

It’s what’s inside that counts, my friend.
Insider threats in retail are also rising; employee turnover is high and the typical retailer has many points of insider vulnerability; traditional and seasonal employees, multiple stores and distribution centres…not forgetting that some business processes will be outsourced to third parties. But who has access to what? Do they have access to everything at all times, or just certain things at a specific time? These policies have the potential to make or break a cyber attack – and they’re particularly vulnerable if the policies aren’t properly configured or deployed (yes, this does happen…a lot).

Secure data sources.
Traditional data sources within an organisation are also vulnerable. These might include databases of customer information, competitor/customer research, future plans  and demographic data. Incredibly rich data and information, gleaned over years and years of ongoing research and marketing activity. But whether staff are using Teams, Zoom, SharePoint, DropBox or WeTransfer to share and collaborate, it has to be done securely. It is possible, you just have to know what you’re looking at.
Sector-wide…and beyond.
Of course, it goes without saying that the majority of this applies to all sectors and industries, not just retail. Any business, whether in education, healthcare, energy or local government for example, must be thinking about what security procedures and policies they need in place to prevent an attack like this. 48 hours is a long time for any business to be disassociated from their business…and the scope for financial, operational and reputational damage is phenomenal (it’s doubtful the full scale of this attack will be made public so take that as you will…)

Cyber Resilience Toolkit for Retail.
But, if you are working in retail and are concerned about cybersecurity and where to turn to for guidance, there’s some great help out there. Last year, the British Retail Consortium worked with the National Cyber Security Centre (NCSC) to develop a toolkit to support retailers (non-cyber experts, this one’s for you) to take steps to reduce the threat of a successful attack. The Cyber Resilience Toolkit for Retail is specifically designed for those in senior strategic roles or start-ups – or who sit on a Board in an exec or non-exec role. The guide highlights the threats faced by retailers, key questions to consider when developing cyber resilience strategies, and guidance on the types of protections retailers should implement.
If you’d like to find out more about how we can help support your IT team to deliver secure cloud-based access and information protection solutions, book a quick call with us.
Interested but not quite ready to talk? Sign up for updates using our super-simple form.