Cyber Security – protecting customer and colleague data
Last updated 24/04/2019
UK Stores Retail Business
Information and systems are amongst Tesco’s most valuable assets. Protecting these is critical to sustainability and competitiveness of our business as well as keeping the trust of our customers, colleagues, and investors. For these reasons, data security and data privacy is identified as a principal risk for the business in our annual report.
We take the responsibility of being entrusted with our colleagues and customer’s personal data very seriously and we’re committed to protecting all data with the highest levels of security. Our multi-year Security Programme has been driving the enhancement of our security capabilities.
We are committed to protecting information in accordance with; its value, its sensitivity, our customer and colleague expectations, our business goals, and regulatory requirements.
Accountability for information security sits with the Chief Technology Officer who reports directly to the Chief Executive Officer on a day to day basis. We have a robust system in place for identifying and escalating security incidents.
In addition, the Board and Executive Directors receive detailed updates on our risk management and mitigation activities through the following committees:
- Group Executive Committee
- Group Audit Committee
- Compliance and Risk Committees
- Privacy Executive
- PLC Board and Board level Corporate Reporting Committee
To deliver and demonstrate our commitment, we have developed policies that set out our ambition and have implemented controls to prevent, detect and mitigate risks. We have adopted a risk based approach which is used in prioritising activities on those areas that are highest risk to the business. For example, our colleague training focuses on head office (see below for more information).
We have also established reporting processes to raise visibility with leadership teams and highlight the protection needs. We continuously invite challenge through independent reviews and audits.
Our objectives are to preserve:
- Confidentiality: We take the highest level of care in protecting information in line with its classification/risk.
- Integrity: We have robust systems and processes to ensure that information is complete and accurate.
- Availability: We ensure systems and Information are available at the time when they are needed.
Below are a few examples of our activities;
In order to ensure our IT systems are protected against changing security vulnerabilities, we regularly test and install ‘patches’. We also perform compliance monitoring to ensure that these patches are activated in a timely manner.
In addition, we continue to strengthen our network to help us protect against unauthorised traffic and malicious content entering our network. We have deployed tools to protect us against malware infections and have independent penetration testing performed to actively identify vulnerabilities.
We have established Security Incident and Event Monitoring capabilities and have a 24/7 Security Operation Centre in place to assess and investigate abnormal activity on a timely basis.
Colleague Awareness Training
We make sure that our colleagues are trained in security awareness so that they understand the importance of confidentiality, integrity and availability and their responsibility to preserve it. Training will help further protect our colleague, customer and business information.
Colleague information security awareness training is mandatory. We make sure that training is relevant, role specific and tailored for colleagues. In the last year, we have been rolling out quarterly refresher training for office based colleagues to ensure it remains current in colleagues’ minds. We also have annual refresher training for store colleagues.
Advanced Technology security training has been made available to all Technology colleagues including privileged system users.
We have a 24/7 security operation centre and Protector Hotline which are available to colleagues should they wish to make a report of any suspicious activity or concerns.
We expect our suppliers to take the same level of care as we do for the information shared with them and as such we have a supplier assurance programme in place. We focus on those suppliers that pose the highest risk to Tesco, colleague and customer data. Those we identify as highest risk, we conduct a supplier review which may include questionnaires and site visits.