Skip to content

25 September, 2023

Subscribe Advertise About Us
  • My Account
  • Register
  • Log In
  • Log Out

Board Agenda

  • Governance
  • Strategy
  • Risk
  • Ethics
  • News
    • Categories

      • View All
      • Board Moves
    • News round-up: this week in governance

      Lonely leadership; how governance helps in a crisis; Kerrie Waring to depart ICGN; ESG and...

    • say-on-pay votes Say-on-pay votes lack link to sustainability

      Very few investors use their AGM votes on executive pay as a spur to improve...

    • fast-moving threats ‘Fast-moving threats’ will soon challenge boards, warns CIIA

      Resilience will be required to face a ‘poly-crisis’ of immediate and simultaneous risk issues, internal...

  • Insight
    • Categories

      • View all
      • Governance
      • Strategy
      • Risk
      • Ethics
      • Board Expertise
      • finance
      • Technology
    • sustainability into finance

      How to integrate sustainability into financial decision-making

      Proactive leadership and board commitment are essential to transform notions of sustainability into fiscally viable...

    • reporting requirements

      Don’t let reporting requirements lead to boilerplate disclosures

      We must balance the need for disclosure of non-financial information so that it is sufficient,...

    • policy on human rights

      Why you need a policy on human rights

      As well as being the right thing to do, this element of a sustainable business...

  • Comment
      • View all
    • reporting requirements

      Don’t let reporting requirements lead to boilerplate disclosures

      We must balance the need for disclosure of non-financial information so that it is sufficient,...

    • CEO talent Can high CEO turnover boost gender equality?

      The trend for boards favouring internal pipelines for CEO succession creates an opportunity to nurture...

    • trust matters Ignore trust at your peril

      Consumers and employers expect ethical corporate behaviour—and will vote with their feet when trust is...

  • Interviews
      • View All Interviews
      • Podcasts
      • Webinars
    • helle bank jorgensen Helle Bank Jørgensen on governance, ESG and how board directors can become stewards of the future

      In spite of ESG toxicity in the US, she remains optimistic that companies are working...

    • information resilience IT transformation sees boards moving to ‘continuous’ management

      Data analytics available on demand requires a resilient—and selective—approach to sharing information, a webinar panel...

    • life sciences podcast Reform of NHS levy ‘harms UK competitiveness’

      Boards in the pharmaceutical and life sciences sector face increasingly difficult decisions, according to a...

  • Careers
      • View all
      • Selection
      • Board Moves
    • CEO talent Can high CEO turnover boost gender equality?

      The trend for boards favouring internal pipelines for CEO succession creates an opportunity to nurture...

    • Starbucks sign outside shop in Warsaw, Poland DEI policies are targets for litigation, warns US lawyer

      Right-wing activists will continue to sue corporates over diversity, equity and inclusion policies they perceive...

    • CEO churn CEO churn is highest since 2019

      Chief executive appointments in the FTSE 100 are also up—but only 27% of incoming CEOs...

  • Resource Centre
      • White Paper Downloads
      • Book Reviews
      • Corporate & Advisory Services
    • G20/OECD Principles of Corporate Governance 2023 cover

      G20/OECD Principles of Corporate Governance 2023

      The G20/OECD principles help policy makers improve the regulatory and institutional framework for corporate governance.

    • stakeholder engagement

      Director Reference Guide: Stakeholder engagement

      Board Agenda's 'Director Reference Guide' for boards on building an honest and trust-based relationship with...

    • IoD Are boards losing control report cover

      Are Boards Losing Control? 2023

      This IoD Centre for Corporate Governance report looks at the biggest challenges facing companies over...

  • Events
  • Search by topic
    • Governance
    • Strategy
    • Risk
    • Ethics
    • Regulation
    • ESG
    • Investor Relations
    • Selection
    • Board Expertise
    • finance
    • Technology

The true cost of cyber breaches

by Katherine Blackler

Cyber-security and data breaches have been making headlines following high-profile incidents at TalkTalk and Vodafone, but cyber-attacks can jeopardise the security of any company.

Photo: Shutterstock

Photo: Shutterstock
Photo: Shutterstock

In October 2015 three young men allegedly changed the game for TalkTalk by hacking its firewall and stealing customer information, the third attack on the telecommunications company this year.

In its half-year results report, the company estimated the short-to-medium-term charge of putting things right following the hack would be £35m.

Commentators from The Telegraph newspaper even suggest that the hack could leave TalkTalk vulnerable to a takeover.

Soon after the attack on TalkTalk, Vodafone admitted in November that almost 2,000 customer accounts were accessed using information acquired from a third party.

The company admitted customers’ names, mobile numbers, bank sort codes and the last four digits of their bank accounts could have been taken, The Guardian reports.

Unlike the cyber-attack on TalkTalk the week before, Vodafone claims its own systems were “not compromised or breached in any way”. Instead, it says customers’ account names and passwords were obtained through an “external” source. How the details came to be held by a third party is not known but it serves to highlight that companies need to consider it is not only their own IT systems that could leave them vulnerable.

Cyber-attacks may have been especially prevalent recently, but it is not a new problem.

At least 13 other big brands have been hit by cyber-security breaches. The National Crime Agency is investigating claims that account details for Halifax, O2, EE, Sky and BT Sport customers are also being sold by hackers along with passwords and user names for major retailers including Amazon, Uber, Ticketmaster and Ocado.

Cyber-attacks may have been especially prevalent recently, but it is not a new problem. In 2011 hackers accessed Sony’s PlayStation network, putting the payment details of more than 70 million customers at risk. The service was closed for several weeks, even though it has since emerged that no data was actually stolen.

Business are vulnerable

The attack on TalkTalk should be a “wake-up call” for British business, senior government officials have told the Financial Times, and warned that many other companies storing millions of customers’ details had weak digital security standards.

Many other large British businesses were equally exposed to such attacks, they warned, emphasising that the breach was not the work of a sophisticated state act or terror group.

Baroness Harding, chief executive of TalkTalk, said that the company could have done more on cyber-protection, but that “no system is free from vulnerabilities”.

John Stewart, CSO of Cisco, says that a data breach is not a unique experience: “You’re eventually going to be hit. It’s not worth the effort of thinking you won’t be hit. It’s no longer a relevant conversation.”

“You’re eventually going to be hit. It’s not worth the effort of thinking you won’t be…”

–John Stewart, Cisco

Google and IT security company McAfee estimates that there are 2,000 cyber-attacks every day around the world, costing the global economy about £300bn a year, while the Institute of Directors says only “serious breaches” make the headlines, but attacks on British businesses “happen constantly”.

The costs

So what are the potential costs should something go wrong?

For TalkTalk, that cost was estimated at £35m. However, shares fell sharply when details of the incident were disclosed, suggesting that the potential cost to reputation could be much higher.

Deloitte’s 2014 global survey on reputation risk found that security (physical or cyber) was one of the three key drivers of reputational risk among the 300 executives it sampled.

A report from Alva has analysed the issue of data breaches and their impact on company reputation, using more than 12 months’ worth of data for TalkTalk, Sony, Barclays, RSA, LV= and Carphone Warehouse.

It found that data breaches can result in some of the most impactful downturns in sentiment for an organisation. Two of the four largest declines in TalkTalk’s sentiment score have all resulted from data breach concerns, making it a genuine reputational risk.

It also found that data breaches can produce tenacious negativity. TalkTalk’s sentiment trend did not return to its pre-February 2015 breach starting point until early May, and negative data breach content only subsided in June following TalkTalk’s announcement that it would change the way in which it processed credit and debit payments to reduce the risk of a future breach.

There is a tangible ramping-up of the impact on reputation of the data breaches over the three highlighted cyber-security attacks.

This is in part due to differences in the scale of the breaches, but Alva also notes that there is the additional element of an incremental reduction in stakeholder trust when a company is repeatedly exposed to the same risk.

Tipping point

Repeated negative issues can reach a tipping point, beyond which the company loses the opportunity to mitigate risk, and damage limitation is the best available outcome.

Different stakeholders reacted to the breaches at TalkTalk with different levels of criticism and through different actions.

For customers, this manifested itself in an increase in active criticism of the organisation and the proactive discussion of switching providers.

TalkTalk’s Alva Social Media Advocacy score has plummeted since the incident, with a significant increase in switching behaviour expressed online suggesting future retention and new business concerns.

It is not just major consumer brands that are at risk. Any company that holds a record of client, company or employee details could find themselves a target.

For investors, the drop in TalkTalk’s share price is indicative of concern over the company’s customer base, its ability to prevent a future recurrence and its exposure to regulatory pressures.

For regulators and politicians the number of people affected necessitates a firm stance against the company, with lengthy reviews or probes potentially fuelling future coverage of the breach and thereby extending the lifecycle of the issue.

According to Alva a general rule of thumb when assessing the extent of reputational risk is to assess the number of stakeholders affected; the more that are impacted, the longer and more damaging the risk.

Prevention

TalkTalk insists that it had adequate defences in place, which it regularly reviewed. This is the third time that hackers have managed to breach TalkTalk’s cyber-security to steal client data in a year, suggesting that defences were struggling to cope.

It is not just major consumer brands that are at risk. Any company that holds a record of client, company or employee details could find themselves a target.

There are several routes that non-executives concerned about cyber-security at the companies they represent can take. Non-executives should review systems in place and ask:

  1. Are operating systems updated and regularly patched?
  2. Does the company have a firewall and software in place that opposes viruses, spyware and phishing attacks?
  3. Are there any wireless networks? Are they encrypted?
  4. Is company software restricted? Has anyone set up administrative rights so that nothing can be installed on computers without authorisation?
  5. Is there filtering in place that controls access to data?
  6. Is access to the web completely open? Restricting access to sites with internet filters can prevent employees and hackers from uploading data to storage clouds.
  7. Do the company computers have USB ports? Removing or disabling USB ports can help stop malicious data being uploaded or downloaded.
  8. Are there strict password policies in place?
  9. Are drives, folders and files containing sensitive information encrypted?
  10. Have you considered hiring professionals to assess your vulnerability?
  11. Insurance can be a useful tool: do you have adequate cyber-insurance cover? Who would pay the bill should the worse happen?

Non-executives need to consider what their company’s cyber-security vulnerabilities are, and make sure that some or all of these routes are under consideration or already in place.

  • Facebook
  • Twitter
  • Google+
  • LinkedIn
  • Mail

Related Posts

  • Paul Manduca takes the wheel as chair of Eurowag
    September 16, 2021
    Paul Manduca, Eurowag

    The former chair of Prudential and Aon UK has joined the board of the commercial road transport services provider.

  • Cutting quarterly reporting may undermine the value of companies
    November 2, 2021
    Quarterly results in cityscape

    Research suggests a decrease in quarterly reporting is linked to decreased company value—and impacts smaller firms more than larger firms.

  • Companies must put equality at the heart of the race to zero
    November 10, 2021
    Trees reflected in buildings

    Singular pursuit of net-zero by 2050 could exacerbate inequality and derail our chances of a climate-resilient future.

  • Ian Dyson named as new chair of the board at Asos
    October 15, 2021
    ASOS package

    Nick Beighton will be stepping down as CEO of the online fashion retailer, while Jørgen Lindemann joins as non-executive director.

For thoughtful journalism, expert insights on corporate governance and an extensive library of reports, guides and tools to help boards and directors navigate the complexities of their roles, subscribe to Board Agenda

cyber crime, cyber security, cyber-attack, data security, Technology, technology risk

Search


Sign up to our Newsletter

Receive independent news, thoughtful journalism & expert insights about leadership, corporate governance & key boardroom issues straight to your inbox every week.

SIGN UP

Follow Us

 

 

 

 

Most Popular

  • ‘Fast-moving threats’ will soon challenge boards, warns CIIA
  • Meta faces US lawsuit over its corporate governance
  • News round-up: this week in governance
  • Don’t let reporting requirements lead to boilerplate disclosures
  • How to integrate sustainability into financial decision-making

Featured Partner Profile

Diligent

Diligent

Diligent Corporation, which was founded in 2001, is headquartered in New York, NY with a European HQ in London. Diligent’s modern governance platform empowers leaders and teams at every level of the organisation to digitally transform and create ...

Featured Partner Resources

Leadership ESG

Leadership in ESG Integration: a study into UK board oversight, implementation and disclosure

This research report is based on detailed response...
The Engagement Appeal: The Path to Inclusive Investor Engagement

The Engagement Appeal: The Path to Inclusive Investor Engagement

This is the inaugural white paper from The Engagem...
Mazars c-suite 2023

Mazars C-suite barometer 2023

The Mazars C-suite barometer is based on responses...

Stakeholder Engagement: A Roadmap for UK Plc Boards

This guide aims to provide directors and their col...

Digital Boards: How Technology Adoption is Driving Culture Change and Resiliency

Digital tools proved their worth to boards during ...
Leadership in AI report

Leadership in AI

This report from Board Agenda and Mazars, in assoc...

A Director's Guide to Conducting Internal Investigations

An internal investigation must be handled meticulo...
 

ADVERTISE – FREE CORPORATE LISTING

FREE - Add your company profile to our Corporate & Advisory Directory.
ADD

ADVERTISE – PROMOTE YOUR REPORTS & WHITEPAPERS

FREE - Add your company profile to our Corporate & Advisory Directory.
Add Resource

Register Free

Register to receive free article views, selected resource downloads, and all the latest news alerts straight to your inbox. Register


  • Editors & Contributors
  • Editorial Advisory Board
  • Corporate & Advisory Services
  • Media Marketing Solutions
  • Contact Us
  • Careers
  • Board Director Network
  • Terms & Conditions
  • Privacy Policy
  • Cookies
  • Sitemap
|