Cyber-attacks and corporate reputations

The Chancellor laid out plans last week to tackle what he calls “one of the great challenges of our lifetime” - the mounting threat of cyber-attack and the harm it could cause our economy and the confidence on which it rests. As challenges go, it’s a vast, complex and somewhat intangible beast, but the stakes have rarely been higher, and for those most at risk, the clock is ticking.

Hacking is hardly a new phenomenon. The practice predates the internet itself, and governments, businesses and individuals have been wrestling with the fear of security breaches for decades. But in recent weeks, the danger has been felt closer to home, and many, the Chancellor included, are rightly questioning how prepared we really are.

The dust has barely settled on a string of damaging data breaches at three major UK companies: Talk Talk, M&S and British Gas, all household names, all hold sensitive customer data, and all have had had to hit the big red button on their crisis comms mechanisms in the past month. Of the three, TalkTalk has received the most attention, in part due to early claims that the attack was linked to an "Islamic cyber jihadi group", and while two teenage boys from Northern Ireland and London have been arrested and bailed in connection with the breach, the investigation rumbles on.

As it stands, the numbers affected are less than initially feared. 4% of TalkTalk’s four million customers have had personal details compromised, and under 16,000 of these were stolen bank details, but compensating those affected can only do so much to repair the lasting damage to the brand.

All three companies have faced criticism for their reactions to the data breaches, and there’s something to learn from each one. Talk Talk initially alerted customers quickly, using the media to amplify the message, and CEO Dido Harding was rightly front and centre of the proceeding media storm. However, her pre-briefings didn’t prepare her for reasonable questions about the number of customers implicated and the level of data encryption the company had in place (encryption since found to have been desperately wanting). Ultimately, amid the complexity of the issue, she became unstuck, and in the week that followed Talk Talk’s share price fell 10%. The telecoms giant is still haemorrhaging customers, and the company estimates that it will have spent £35m on making amends by the time we have all forgotten about it.

Both M&S and British Gas also failed to adequately protect customer details, and while public scrutiny has been eclipsed by the Talk Talk episode, both have also faced criticism for the way they have handled their crises. Beloved UK retailer M&S did issue media statements shortly after its incident, but these were issued from anonymous spokespeople, a sad reflection of the distance the leadership sought to place between themselves and the problem. Somewhat worse, the UK’s largest energy provider failed on many counts to proactively alert customers to its data leak, and the PR department did too little to cooperate with the media. At best these will be seen as minor tactical oversights, but at worst they hint at a rather worrying lack of care from the top for the seriousness of exposing customer data.

From all of this, perhaps the most pervasive lesson for those protecting corporate reputation is to expect the unexpected, and prepare for every eventuality. Cybercrime is a growing threat, and wherever companies hold customer details, the reputational risks should be taken seriously at the very highest level.

Osborne warned us last week that “every British company is a target” and at present “GCHQ is monitoring cyber threats from high end adversaries against 450 companies across the aerospace, defence, energy, water, finance, transport and telecoms sectors.” His speech was a telling sign that those in Government are prepared to take a hard line on the issue, as this month’s Resilient Shield stress test on the resilience of the financial sector’s data protection capabilities goes some way to demonstrate. The outcomes of the ‘wargame’ will make for interesting reading for those in the financial sector. As will the detail of next week’s Autumn Statement, where Osborne will set out plans to almost double investment in Britain’s cyber-security capabilities to £1.9 billion over five years, and announce a single National Cyber Centre, to act as a unified source of advice and support for businesses.

This is all good news, and as budgets are being cut across the board it’s reassuring to know that those at the top are putting in place the support structures to help reinforce the security and peace of mind of people in the UK. But just as the government has a responsibility towards these sectors, the companies in those sectors also have a responsibility to ensure their own resilience, not just for their own sake, but for the sake of their customers.