Matthew Webb, Head of Technology, Cyber and Data Underwriting at Hiscox, looks at the recent Talk Talk hack and the lessons it holds for SMEs.
Fronting up on national media to admit their company has been the victim of a data hack that may have compromised the personal and financial details of millions of its customers is probably not high on the average chief executive’s wish list. Yet, last week, this was the position that Talk Talk’s Dido Harding found herself in; admitting that the company’s website had been targeted and that personal customer information may have been accessed by a hacker.
In the days following the announcement, Talk Talk has had to navigate toxic headlines, a plunging share price, as well as the logistical problems of finding out how many records have been accessed, fixing the breach, and getting its website and service back up and running. Add to that potential investigations by regulators and possible legal action from disgruntled customers and it’s not hard to see why this type of information security failure is rapidly becoming a major risk for large corporates; particularly as Talk Talk is only one of a number of high profile businesses to suffer recent information security breaches including dating site Ashley Madison, Morrisons and Car Phone Warehouse.
Experiencing a hack
Of course we should dispel the myth that this is just a ‘big business’ problem. We know for example that more than 70% of small businesses have suffered some form of data breach over the last year and that the average cost of the worst hack for SMEs was between £75,000 and £310,800. For SMEs however, it can be difficult to see the parallels between what happens to a big business like Talk Talk when it suffers a computer hack and what their own business would go through if their information security was penetrated.
In reality, the experience can be surprisingly similar:
Bad publicity and reputational damage
True, a small business director might not have to appear on the News at 10 to explain a data hack, but bad news amongst clients and prospects travels fast via social media and SMEs will have to be alert to mitigating reputational damage. Some have criticised Talk Talk for not being quick enough to communicate, but I think they got the balance about right between understanding the problem and communicating to their customers. SMEs need to be just as proactive albeit in a more modest and targeted way. It’s important to get the tone of your communications right. When working with fewer customers and clients, the personal touch is all important.
Fines by regulators
The Information Commissioner’s Office (ICO) regularly fines big business for information security breaches and Talk Talk could be subject to a fine up to £500,000 if found guilty of breaching data protection laws. Again, it’s not just big business that needs to worry about the ICO. SMEs are increasingly being fined by the ICO for information security failures and even sole traders are not immune with one fined £5,000 for failing to encrypt a hard drive containing details of the company’s 250 customers.
‘Business as usual’ interrupted
With the Talk Talk website down, normal business was interrupted which in turn could have an impact on revenue generation. The impact for small businesses can be just as devastating if a website is down for example or if its systems have been hacked and locked. The effect on management times, whatever the size of the company, will also disrupt business as usual. CEOs and senior management will be diverted from their diary commitments to manage the crisis which, in turn, could stall the company’s short and even long term development.
Computer forensics, lawyers, PR specialists
You can be sure that Talk Talk will have engaged a full army of experts to help isolate the attack, work out what went wrong, what records have been compromised, setting up call centres, and managing its reputation. SMEs will need to go through a similar process to successfully manage any information breach.
A ‘big company’ response for SMEs
The good news for SMEs is that a good cyber insurance policy means they can deliver a ‘big company’ response to a data breach. Our cyber and data policy for example does far more than just provide financial compensation. We have assembled a number of ‘blue chip suppliers’ who offer practical support in the event of a data breach (electronic or otherwise) including forensic investigations, legal advice, notifying customers or regulators, and offering support such as credit monitoring to affected customers.
It’s (almost) inevitable: be prepared
Every business, no matter how small, must be prepared for an information security breach. And while an SME might not find itself plastered all over the national media, it might find the experience uncomfortably similar to Talk Talk’s current problems.
Find out how you can protect your business over on our Cyber and Data insurance page
For Matt Webb’s other technology posts visit his author page