Prepare for the worst and limit cyber damage

To any sizeable business operating in the UK, the regulatory threat of fines for serious data breaches is almost negligible. The Information Commissioner’s Office can only fine up to £500,000 for the most egregious offences, a pittance to any firm with financial clout. The real damage from losing people’s information comes through the impact on reputation.

US retailer Target knows this all too well. Hackers breached its network in November, infecting point-of-sale machines to steal data on more than 40 million credit and debit cards. It admitted the breach was partly responsible for bringing down its fourth quarter profits by 46 per cent, as shoppers lost trust in the company. Customer traffic in January, both online and in stores, hit a three-year nadir, with a 10 per cent year-on-year decline in the number of US households shopping at Target in January, according to consulting group Kantar Retail.

Reputational damage from data leaks often equals financial loss. Research bears this out, showing how firms in certain industries can suffer particularly badly. In 2013, when it surveyed 599 companies who’d suffered a breach, the Ponemon Institute found financial services were worst impacted. Each data record compromised cost £145, £74 of which went on costs related to recovering reputation, such as complementary credit monitoring and identity theft protection. For healthcare organisations, the cost for one lost record was £131, £68 of which had to go on reputation-related spending.

An organisation’s patent brand is now intertwined with its security. That’s why there have been repeated calls from security professionals for C-level executives to take a more active role in protecting the organisation from attacks, whether caused by external hackers or internal leakers. Chief executives can provide companywide impetus to boost security and approach it in a more holistic way, says Rocco Grillo, managing director and global leader for incident response and forensics investigations, at consultancy Protiviti.

This involves determining where the risks lie throughout an organisation and where the most valuable data resides, before wrapping the right protections around them. “A lot of people have the perception that it’s all about protecting credit card data. But if you look at your company overall, there are different types of risk,” he says.

Reputational damage from data leaks often equals financial loss

“There are still some people saying they don’t have sensitive data and no one is going to go after us. That’s just the same as sticking your head in the sand. This isn’t just an IT issue.”

By instilling a proactive, holistic security posture from the top down, organisations would be better prepared for the numerous digital attacks they will undoubtedly face. Yet all companies should expect to have systems compromised at some point in the future. This makes full incident response programmes critical, including response plan testing involving various departments within the business. “You need to have all kinds of stakeholders at the table, including executive management support and legal, who should typically be your first call. You want to be prepared, to know the weak points of your programme and how you might fail. It’s better to learn your weaknesses while you’re practising than when you are in crisis mode,” says Mr Grillo.

In the event of a breach, a quick response is key to proving to customers their information is valued. Companies must show they are in control of the situation from the moment they know about an event, says Neira Jones, independent adviser in payments, risk and cyber crime. “The first 24 hours are crucial,” says Ms Jones. “The first thing to realise is that the internet does not wait for your chief executive to respond; the news will spread with or without your involvement. And don’t blame others, it is never popular. The result of no acknowledgement is inflated speculation, controversy, and misinformation and disinformation.”

Transparency is also vital, says Larry Ponemon, head of the Ponemon Institute. “Brand damage can be avoided in part by just being better at communicating to people, being perceived as honest and transparent,” he adds. “The worst thing you can do is wait a long time and communicate in bits and pieces. People like to know not was their data lost, but was it compromised by bad guys.”

Despite all the hype, it would be fallacious to say data breaches will always be potentially catastrophic for an organisation’s reputation. Some businesses are able to avoid lasting damage solely because of what they offer and what consumers expect of them when it comes to protecting information. Ponemon research indicated retailers have a significantly easier time of it than most other kinds of business, with a relatively low cost per data record compromised at £82, of which just 30 per cent went on recovering reputation. That would indicate shoppers are not as concerned about the security of their information held by the outlets they frequent as they are about data held by banks or the NHS.

“On the retail side, people are motivated by price and good value. That becomes more important than protecting data. They also don’t have an expectation that their data is going to be secure,” says Mr Ponemon.

Supermarket chain Tesco appeared to benefit from this low expectation, according to Troy Hunt, an independent security researcher. The company received much criticism from security professionals in 2013 for failing to react quickly to alerts over various vulnerabilities on its website. Then in February, 2,000 Tesco passwords were published online, yet there was little customer outrage.

“Faced with numerous clearly identifiable risks, Tesco responded slowly and, in some cases, never addressed the underlying risks. Even after suffering a breach just this year, arguably their reputation has not been adversely impacted,” says Mr Hunt, who uncovered a number of Tesco’s weaknesses. “It’s possibly the fact that large, diversified organisations have a buffer from these attacks which makes them somewhat complacent.”

But chief executives should be wary of such complacency. With considerably harsher EU-wide regulatory penalties receiving support from European Parliament, and the general public much more privacy-aware following a year in which both internet giants and intelligence agencies caused much consternation over their data handling practices, companies can expect a much tougher environment in the coming years. It’s time to prepare for the worst.