Cybercrime: not a case of ‘if’ but ‘when’

As UK online shoppers brace themselves for what experts are dubbing ‘the biggest cybercrime Christmas of all time’, it seems almost inevitable that as a consumer, your online personal details will be hacked at some point.

In the past year alone, TalkTalk, Vodafone, Experian, Mumsnet, Moonpig and Morrison’s are just a few of the big names that have fallen victim to cyber criminals.

In fact, the actual scale of the problem spans much wider than this. Robert Hannigan, Director at Government Communications said that they continue to see real threats to the UK “on a daily basis” and that “the scale and rate of these attacks shows little sign of abating.”

Yet despite recently being named as the country’s most common offence, there is a sense that businesses are all too nonchalant towards cyber hacking. ‘It won’t happen to us’ seems to be the prevailing attitude among senior management, and is too often written off as an IT issue, rather than something to be addressed at board level.

While most data breaches in 2014 occurred in North America (76%), Europe is still badly hit, with the UK being the most attacked country in Europe.

It is estimated that cybercrime costs the UK economy £27 billion per annum (a significant proportion of this cost comes from the theft of IP from UK businesses, which is estimated at £9.2bn per annum), although the real impact of cybercrime is likely to be much greater.

Worryingly, when cybercrime was added to the overall number of crimes in England and Wales for the first time this year, total crime soared by 107%.

From a communications perspective, the potential knock-on reputational effects of cybercrime can be disastrous.

TalkTalk has said the loss of 157,000 of its customers’ personal details, including 15,000 people’s financial details, could cost the company up to £35 million.  Add to this the resulting loss in customer trust, and the underlying damage to brand value could take a while to recover from.

As with any crisis communications situation, there are some key procedures that companies should bear in mind:

• Planning and testing: preparing specific incidence response plans and testing them in advance will allow companies to respond as swiftly as possible in a real situation.
• Holding statements: again, these should be prepared in advance if possible and adapted during a real crisis to make it most relevant to consumers, stakeholders and the media.
• Social media: news no longer breaks on TV or in newspapers, it breaks on Twitter and often by consumers or external stakeholders rather than the companies themselves. Control your message and keep people updated of breaking news as frequently as possible.
• Transparency: be open and honest with your customers and be prepared to answer thorny questions. Show the public that you’re doing everything in your power to manage the situation as best you can.

Jeremy King, International Director of PCI Security Standards Council – an industry body that regulates and sets the global standard for card payments security – argues that businesses need to shake up their attitude towards the way they view cybercrime from a one-off, check box mentality to a constant 24/7 surveillance mindset:

“There is a sense in companies that data security should be dealt with by IT departments. I don’t believe this is correct – in my work, I always try and work with the C-suite as well. Cyber attacks get their attention so we try and get them to view it as an organisation-wide project that starts at board level.”

He also urges companies to create watertight cyber incident plans because when it comes to data breaches, it’s now not a case of ‘if’, but ‘when’ (something the government backs up in a recent report: “Every organisation is a potential victim”):

“There is never a pre-warning for a cyber attack. They can come at any time of the day, at any point in the year and when they do happen, companies need to be as prepared as they can be. Having an incident security plan is critical because there will be many different moving parts to deal with such as legal and financial aspects, as well as handling customers and the media.”

Luckily for consumers, new EU legislation being brought out in early 2016 will force businesses to readdress the way they handle cyber security.

The updated European Data Protection Act, the Payment Services Directive 2 (PSD2) and the Security of Internet Payments are all geared towards greater transparency in the way that customer data is stored and used, as well as penalising companies who don’t report customer data breaches in a timely manner.

But while the messages from the experts are clear, how many more attacks will it take to make businesses start treating this as a priority, both in terms of budget and strategy?

As cyber criminals become more intelligent, organised and wise to new technology designed to deter them, businesses who put cyber security at the top of the agenda will be the ones that survive in the long-term.

Alice Carr, Consultant, Corporate