Are the after-effects of a cyberattack as damaging as the initial impact?
Sixty per cent of firms are more afraid of reputational damage than data loss
A successful cyber attack is one of the most damaging occurrences that a business can go through. Lost files, passwords and security data are only half the story, though: reputational damage is just as important.
More than 60 per cent of firms say that their reputation or brand has suffered as the result of a breach. Even relatively minor data losses are embarrassing, but when you lose the records of 143 million people, the situation becomes much worse.
The Equifax hack earlier this year was the largest corporate breach in history. Naturally, the company has come under scrutiny in the months since; but its response has been inadequate to the point of embarrassment.
The credit agency's first mistake was to set up a completely new website for potential victims - equifaxsecurity2017.com - rather than building a fork from its main equifax.com site. This even confused the social media team behind Equifax's Twitter account, which directed users to a fake site (securityequifax2017.com, set up by developer Nick Sweeting to demonstrate how easy it would be to spoof the legitimate page) four times in the first week.
In addition, the new site was littered with bugs, despite the company having had as much as five weeks between finding out about the breach and disclosing it (more on that later).
These are only a few of the missteps that have characterised the company's awkward stumble through the breach process, which also include its advisory website being flagged as a phishing threat.
The damage to Equifax's reputation was bad enough - but it was even worse for accounting firm Deloitte, whose entire business is structured around keeping customers' data safe.
An internal enquiry, codenamed ‘Windham', established that ‘only' six clients - which include some of the world's biggest banks, media enterprises, pharmaceutical firms and government agencies - had been affected, but sources speaking to The Guardian have said that the damage could be much worse.
A cyber-security expert said, "A hacker has got into Deloitte's email system and been undetected for months, and only six clients have been compromised? That does not sound right. If the hackers had been in there that long, they would have covered their tracks."
The attackers were able to break into Deloitte's system and access private email messages - ironically, due to a lack of security. Deloitte tells us that it was in the process of rolling out multi-factor authentication and, according to The Guardian, was not using encryption software; it has since introduced both.
Better breach reporting
If being hacked is bad, having to admit it is worse. 60 per cent of firms in a recent survey said that reputational damage would have the biggest impact on their business in the case of a data breach - 50 per cent more than named fines as their biggest concern. That leads to very slow reporting: Equifax took six weeks to admit that it had been hacked; but Deloitte took six months.
The problem, of course, is that breach reporting is not currently enshrined in UK law for all companies. The Privacy & Electronic Communications Regulation states that ‘personal data breaches' must be reported to the ICO within 24 hours, but only applies to certain companies, such as service providers. The Data Protection Act has no such requirement.
That will change when the General Data Protection Regulation (GDPR) comes into effect next May. Under the GDPR, any company must report a breach within 72 hours of becoming aware of it; and failing to do so can result in heavy fines.
Rafi Azim-Khan of Pillsbury Law told us that "nothing should be left to chance" when it comes to GDPR readiness:
"Companies need to ensure that they have robust policies, procedures and processes in place to ensure compliance. With the risk of heavy fines...not to mention the reputational damage and potential loss of consumer confidence caused by non-compliance, nothing should be left to chance."