The Blog

Cyber Security: The New Frontier in Crisis Preparation

SnapChat, iCloud, JP Morgan, Tesco, Target, Adobe. Over the past 12 months all of these have associated with cyber-attacks.

SnapChat, iCloud, JP Morgan, Tesco, Target, Adobe. Over the past 12 months all of these have associated with cyber-attacks.

With increasingly unrelenting frequency we're hearing and reading about companies that have fallen to a growing tidal wave of cyber-attacks. In the past, the threat of such an attack was mostly limited to a small percentage of companies or individuals. However it now seems that as companies themselves become "more digital" the threat has evolved. Hacking may once have been attempted for 'bragging rights' but now there are a variety of actors involved with complex motivations:

Hacktivists: like Anonymous are perhaps best described as modern day activists, carrying out actions to disrupt the operations of a company or government

Nation states: again an extension of a traditional activity, espionage

Malicious individuals: those who carry out an attack for their own gain

Consumers and organisations alike are now at the forefront of the battle in the trenches.

The Ponemon Institute along with HP* found that organisations on average face 138 discernible cyber-attacks per week - a significant rise on last year's figure. Different pieces of research by companies with a vested interest however suggest differing figures - the truth is that we cannot say with accuracy how many cybercrime incidents are actually occurring, but there is broad agreement that the threat is on the rise. Companies must do their utmost to defend and minimise this risk where possible.

For an organisation or business, a cyber-breach can be calamitous. Not only can a breach lead to a loss of critical data, but it can also lead to a deterioration in market position and lead to tangible costs - particularly over time if not rapidly dealt with. This month eBay was forced to cut its revenue forecast as it continues to feel the effects of its recent breach.

There are also regulatory costs that need to be taken into account. In the UK, the Information Commissioner's Office (ICO) has been able to impose fines for serious data breaches since 2010.

Beyond the 'hard' costs, organisations can face equally important 'soft' costs - a cyber-breach can prompt serious stakeholder lapse of confidence and result in loss of custom. According to reports and analysis, the eBay attack directly impacted operating margins and revenues due to slower customer uptick.

Taking into account these potential costs and the high likelihood of an attack, cyber security needs to be very much be on the CEO and Board agenda, rather than just being an IT issue. Companies need not only a robust technical defence, but also a well thought out reputation protection plan in place. Part of this needs to be the speedy identification, isolation and patching of the breach as well as adherence to counsel for potential legal ramifications; but companied must also be clear and precise with how the breach and these measures are being communicated.

In recent weeks we've seen more and more recognised brands and companies fall prey to hackers and react for better or worse. eBay and Target were criticised by many for appearing to hesitate too long and delay responding to rumours.

The JP Morgan attack, one of the largest I've seen recently (contact details for about 76 million households and about 7 million SMEs was compromised) actually had a pretty fast response in play, which was likely in line with the FBI investigation once the breach was found. Though the bank's CEO has also announced that their cyber security spending will likely double over five years.

Kmart too have seemingly reacted in a positive manner - releasing a statement, apologising and reassuring customers by offering with free credit monitoring as it investigates the breach.

Cyber breaches are now commonplace and it's no longer good enough to just sit back, put in place minimum compliance measures, and relax. If a company hasn't yet suffered a breach the chances are that it's on its way, or it has already and just doesn't know it yet.

*Disclaimer: at the time of writing HP is a client of the author