Hack attacks threaten companies once every two and a half minutes. But the question is how they can recover people’s confidence when they’ve been breached
Timehop, the digital nostalgia enterprise, recently revealed it had fallen victim to a hack attack. It joined the long list of companies along with Polar, Uber, Yahoo and NHS that have all suffered breaches in the past. And just like in those cases, the leadership at Timehop may be in for a rough ride ahead. “There are 21 million users of Timehop that should be furious right now for two reasons,” said David Vergara, director of product marketing at OneSpan, the online security company. The first is that there is absolutely no excuse for any business today not to deploy multi-factor authentication to secure access to applications as it’s both effective and inexpensive. The second is the period of time that it went undetected and how long it took to sever the hacker’s access. This is one more huge wake-up call for businesses to roll out multi-factor authentication (MFA) and take the protection of their user’s data much more seriously.”
But while Vergara’s input might help some SMEs beef up their digital defences in the future, that still leaves them with the question how to protect their reputation after falling victim to laptop-wielding larcenists. And this is a problem for many may soon face. A recent survey from Beaming, the internet service provider, revealed that UK companies underwent 52,596 cyber attacks, each on average over the second quarter of 2018. This equals 578 attempts a day, once every two and a half minutes. Given the scale of the problem, startups and SMEs alike are at risk of falling victim to hackers. Fortunately, there are ways to limit the fallout from being breached.
The first thing to remember is to respond to it a timely matter. “Speed, transparency and openness will help any business leader limit the reputational damage of a data breach,” said Arne Uppheim, director of SMB at Avast, the cybersecurity software company, when speaking with Elite Business. “Information on how the breach occurred, what data may have been stolen, and the steps the company is taking to not only fix this issue but strengthen its security protocols in light of it, should be fed to all customers, whether they’ve been affected or not.”
He added: “A recent example of a company doing this right is Monzo, which had some of its cards affected due to a breach at Ticketmaster. It acted quickly and notified Ticketmaster and its own affected customers, detailing the flaw and how it was securing its cardholder’s data. The far slower reaction by Ticketmaster has tarnished its name, whilst Monzo has come out looking like a responsible, customer-first company.”
But being open isn’t just a part of the process of rebuilding customer confidence after you’ve been breached – it’s illegal not to according to the General Data Protection Regulation (GDPR), which snapped into action in May. “GDPR states that all companies that are affected by a breach need to report it to the ICO within 72 hours of becoming aware,” said Rob Shapland, principle cybersecurity consultant at Falanx, the cybersecurity firm. “They also need to inform the affected individuals if there is a high risk of the data being damaging to their rights and freedoms – which will usually mean that the data can be used to adversely affect them in some form, such as revealing personal information or running the risk of them being a victim of ID theft.“
Another consideration is that you’ll have to face the press at some point or another after having been breached. “How you handle media interest is critical,” said Ben Rose, cyber director at Digital Risks, the insurance company. “Again, time is of the essence, so you’ll need to have statements ready to go asap about what you know and the actions you are taking. If you don’t have your own PR expertise internally, call on external support to provide guidance. Proactivity about containing the breach and minimising damage will go a long way to regaining trust. “
Given hack attacks can have serious consequences for startups and their clients, it doesn’t hurt to be prepared before the breach.