The true cost of cyber breaches

In October 2015 three young men allegedly changed the game for TalkTalk by hacking its firewall and stealing customer information, the third attack on the telecommunications company this year.

In its half-year results report, the company estimated the short-to-medium-term charge of putting things right following the hack would be £35m.

Commentators from The Telegraph newspaper even suggest that the hack could leave TalkTalk vulnerable to a takeover.

Soon after the attack on TalkTalk, Vodafone admitted in November that almost 2,000 customer accounts were accessed using information acquired from a third party.

The company admitted customers’ names, mobile numbers, bank sort codes and the last four digits of their bank accounts could have been taken, The Guardian reports.

Unlike the cyber-attack on TalkTalk the week before, Vodafone claims its own systems were “not compromised or breached in any way”. Instead, it says customers’ account names and passwords were obtained through an “external” source. How the details came to be held by a third party is not known but it serves to highlight that companies need to consider it is not only their own IT systems that could leave them vulnerable.

Cyber-attacks may have been especially prevalent recently, but it is not a new problem.

At least 13 other big brands have been hit by cyber-security breaches. The National Crime Agency is investigating claims that account details for Halifax, O2, EE, Sky and BT Sport customers are also being sold by hackers along with passwords and user names for major retailers including Amazon, Uber, Ticketmaster and Ocado.

Cyber-attacks may have been especially prevalent recently, but it is not a new problem. In 2011 hackers accessed Sony’s PlayStation network, putting the payment details of more than 70 million customers at risk. The service was closed for several weeks, even though it has since emerged that no data was actually stolen.

Business are vulnerable

The attack on TalkTalk should be a “wake-up call” for British business, senior government officials have told the Financial Times, and warned that many other companies storing millions of customers’ details had weak digital security standards.

Many other large British businesses were equally exposed to such attacks, they warned, emphasising that the breach was not the work of a sophisticated state act or terror group.

Baroness Harding, chief executive of TalkTalk, said that the company could have done more on cyber-protection, but that “no system is free from vulnerabilities”.

John Stewart, CSO of Cisco, says that a data breach is not a unique experience: “You’re eventually going to be hit. It’s not worth the effort of thinking you won’t be hit. It’s no longer a relevant conversation.”

“You’re eventually going to be hit. It’s not worth the effort of thinking you won’t be…”

–John Stewart, Cisco

Google and IT security company McAfee estimates that there are 2,000 cyber-attacks every day around the world, costing the global economy about £300bn a year, while the Institute of Directors says only “serious breaches” make the headlines, but attacks on British businesses “happen constantly”.

The costs

So what are the potential costs should something go wrong?

For TalkTalk, that cost was estimated at £35m. However, shares fell sharply when details of the incident were disclosed, suggesting that the potential cost to reputation could be much higher.

Deloitte’s 2014 global survey on reputation risk found that security (physical or cyber) was one of the three key drivers of reputational risk among the 300 executives it sampled.

A report from Alva has analysed the issue of data breaches and their impact on company reputation, using more than 12 months’ worth of data for TalkTalk, Sony, Barclays, RSA, LV= and Carphone Warehouse.

It found that data breaches can result in some of the most impactful downturns in sentiment for an organisation. Two of the four largest declines in TalkTalk’s sentiment score have all resulted from data breach concerns, making it a genuine reputational risk.

It also found that data breaches can produce tenacious negativity. TalkTalk’s sentiment trend did not return to its pre-February 2015 breach starting point until early May, and negative data breach content only subsided in June following TalkTalk’s announcement that it would change the way in which it processed credit and debit payments to reduce the risk of a future breach.

There is a tangible ramping-up of the impact on reputation of the data breaches over the three highlighted cyber-security attacks.

This is in part due to differences in the scale of the breaches, but Alva also notes that there is the additional element of an incremental reduction in stakeholder trust when a company is repeatedly exposed to the same risk.

Tipping point

Repeated negative issues can reach a tipping point, beyond which the company loses the opportunity to mitigate risk, and damage limitation is the best available outcome.

Different stakeholders reacted to the breaches at TalkTalk with different levels of criticism and through different actions.

For customers, this manifested itself in an increase in active criticism of the organisation and the proactive discussion of switching providers.

TalkTalk’s Alva Social Media Advocacy score has plummeted since the incident, with a significant increase in switching behaviour expressed online suggesting future retention and new business concerns.

It is not just major consumer brands that are at risk. Any company that holds a record of client, company or employee details could find themselves a target.

For investors, the drop in TalkTalk’s share price is indicative of concern over the company’s customer base, its ability to prevent a future recurrence and its exposure to regulatory pressures.

For regulators and politicians the number of people affected necessitates a firm stance against the company, with lengthy reviews or probes potentially fuelling future coverage of the breach and thereby extending the lifecycle of the issue.

According to Alva a general rule of thumb when assessing the extent of reputational risk is to assess the number of stakeholders affected; the more that are impacted, the longer and more damaging the risk.

Prevention

TalkTalk insists that it had adequate defences in place, which it regularly reviewed. This is the third time that hackers have managed to breach TalkTalk’s cyber-security to steal client data in a year, suggesting that defences were struggling to cope.

It is not just major consumer brands that are at risk. Any company that holds a record of client, company or employee details could find themselves a target.

There are several routes that non-executives concerned about cyber-security at the companies they represent can take. Non-executives should review systems in place and ask:

Are operating systems updated and regularly patched?
Does the company have a firewall and software in place that opposes viruses, spyware and phishing attacks?
Are there any wireless networks? Are they encrypted?
Is company software restricted? Has anyone set up administrative rights so that nothing can be installed on computers without authorisation?
Is there filtering in place that controls access to data?
Is access to the web completely open? Restricting access to sites with internet filters can prevent employees and hackers from uploading data to storage clouds.
Do the company computers have USB ports? Removing or disabling USB ports can help stop malicious data being uploaded or downloaded.
Are there strict password policies in place?
Are drives, folders and files containing sensitive information encrypted?
Have you considered hiring professionals to assess your vulnerability?
Insurance can be a useful tool: do you have adequate cyber-insurance cover? Who would pay the bill should the worse happen?

Non-executives need to consider what their company’s cyber-security vulnerabilities are, and make sure that some or all of these routes are under consideration or already in place.