+
EDITOR’S QUESTION
TIM ORCHARD, MANAGING
DIRECTOR, F-SECURE
COUNTERCEPT
/////////////////
P
erceptions of inadequate
cybersecurity can have a huge impact
on a company’s reputation, especially
in the event of a data breach or other
security incident.
The TalkTalk data breach is one of the most
high-profile examples. The company took
an enormous amount of negative press as
a result and its share price plummeted more
than 20% in the following weeks. The breach
cost the company more than £77 million
in total, including a £400,000 fine from the
Information Commissioner’s Office.
TalkTalk has now largely recovered from the
incident and former CEO, Dido Harding,
has also been very open and constructive
about discussing the breach, for example
highlighting the issue of legacy technology
in her keynote speech at Infosecurity Europe.
Looking further back, there was a massive
commercial impact for PA Consulting when
an employee lost a USB stick containing
the personal data of more than 84,000
UK prisoners. Within two weeks, the Home
Office had announced the cancellation of PA
Consulting’s multimillion-pound contract.
The impact of a cyber incident on a
company’s reputation can vary wildly
depending on several factors. A business
that is seen as having been negligent about
basic security and failing its duty of care to
customers will always suffer the heaviest
hit to its reputation. In many cases, it is
the perception of failure that will have the
biggest impact, while the reality of the
breach may actually be quite different.
www.intelligentcio.com
Similarly, incidents that involve the personal
details of consumers will almost always
receive more attention and a lot more
negativity. Shipping giant, Maersk, suffered
huge losses and disruption to the delivery
of global food supplies after being struck
with a major ransomware infection, but was
treated much less harshly than incidents
such as TalkTalk and BA that involved private
data. An organisation’s immediate response
in the hours and days after an incident
is also extremely crucial. Companies that
“
A BUSINESS
THAT IS SEEN AS
HAVING BEEN
NEGLIGENT
ABOUT BASIC
SECURITY AND
FAILING ITS
DUTY OF CARE TO
CUSTOMERS WILL
ALWAYS SUFFER
THE HEAVIEST
HIT TO ITS
REPUTATION.
can demonstrate they are on top of the
problem and are transparent about what has
happened and how they are working to fix it
can greatly reduce the reputational damage.
Companies attempting to cover up the
incident are likely to be heavily punished.
It’s also important to note that the idea
of ‘weak’ security is often very subjective.
What amounts to inadequate security for
one business could be entirely appropriate
for another. Factors such as the potential
level of threat involved, the company’s
size, industry and operational structure will
greatly influence its risk profile and the
security measures it should have in place,
so companies should instead be thinking in
terms of ‘right sizing’ their security.
Following best practice on the basics such
as the UK government’s Cyber Essentials
scheme, is a good way for companies to
ensure they have covered the fundamentals
that will mitigate both the risk of a
cyberattack and reduce the reputational
damage when an incident does occur and
then move onto tacking advanced threats
and improving overall cybersecurity posture
from there. n
INTELLIGENTCIO
35