Executing a Last-Minute Cybersecurity Strategy is a Recipe for Disaster. Here's Why
Business leaders are responsible for the ongoing success of the organisations they represent. The aim is to make the company grow beyond its competitors and ensure everyone, from staff to shareholders, is pleased with the progress made.
To do this, C-Suite executives must focus on business-critical objectives. In the past, these may have been profit, customer creation, market share, and productivity, for example. However, today, adequate cybersecurity is just as critical.
It can be considered the most important. Why? Because it impacts every other objective. The fallout from a cyber-attack includes financial losses. A company with weak security that has experienced a breach is less likely to attract new customers. Existing clients may go elsewhere and give their business to a competitor. And when it comes to productivity, cyber-attacks can rip through your digital infrastructure, essentially bringing innovation to a halt.
The Trouble with Data
Today, the business world is driven by data. Big data generation and analysis has moved beyond the realms of the tech giants and now provides medium to large organisations with an unprecedented opportunity to innovate.
However, while data is considered the new gold for businesses, it's easy to forget that this profitable resource is equally tempting to cybercrooks. With your company's data, criminals can access PII and other sensitive information that could well land you in serious trouble with the authorities for failing to adhere to the various data protection regulations. Data is perhaps the driving force behind upgrading cybersecurity from an IT initiative to a critical business objective.
So, what does the fallout from failing to support a solid cybersecurity strategy look like?
This article will examine some UK companies that left it too late to either develop and implement an adequate cybersecurity defence plan or failed to recognise the ever-evolving nature of cybercrime.
British Airways: One of the most significant global data breaches in recent years occurred at British Airways (BA) in 2018. Hackers made off with a haul of data, including customer login details, booking details, PII, and payment card information.
In all, more than 400,000 BA customers were affected by the hack. All the cyber-attacks we mention in this article happened because cybersecurity provisions were lacking. If you fail to act at all, the fallout could be even worse.
Ultimately, BA was forced by the Information Commissioner's Office (ICO) to pay a fine of £20 million. The largest ever divvied out by the organisation.
Boots: Boots were required to suspend all payments using the company's Advantage Card in March 2020 after hackers infiltrated customer accounts. Interestingly, the company's systems weren't breached. However, their customer's accounts were.
Cybercrooks undertook a credential-stuffing attack where breached credentials are used to access live accounts. Yet, this is still a failure by the pharmacy chain because measures weren't in place, such as advanced multi-factor authentication, continual authentication, and breached password protection, to stop the attack from succeeding in the first place.
Around 150,000 people were affected by the attack, and although cybercriminals stole no credit card information, Boots was severely damaged reputationally.
Teletext Holidays: One of the most severe breaches in the UK affected Teletext Holidays customers. Two hundred thousand people had their recorded phone calls exposed. Some of the calls even revealed partial credit card numbers. Astoundingly, the exposure on an unprotected AWS cloud server continued for three years.
Ultimately, thieves couldn't instantly access credit cards and start using them to make purchases. Instead, by making transcripts of the calls, some of which lasted for more than an hour, an unknown number of malicious actors would have been able to glean personal information.
As we mentioned early on in this article, data of any kind is precious. A hacker can create a customer profile that malicious actors can trade on the Dark Web by piecing together personal details such as name, address, telephone number, and email address.
Dixons Carphone: UK consumer tech giant Dixons Carphone was hit with a £500,000 fine by the ICO for failing to protect over 14 million customers. A malicious hacker had managed to bypass the defences in place at the retailer and install malware on 5,390 in-store tills.
For more than nine months, the software continued to harvest personal details and financial information from anyone that purchased products at the affected stores. Of course, Dixons Carphone had measures to combat cybercrime, but they weren't good enough.
What is incredible about this case is the length of time the attack was allowed to continue. The company installed no upgraded technology or software for nine months to detect and stop an attack like this. If you commit to cybersecurity measures, you must ensure they are ongoing and evolve with the emerging threats that could harm your organisation and your customers.
Now is the Time to Act
All of the cyber-attacks we've showcased in this article occurred at major corporations. However, when a similar attack happens at a small to medium-sized organisation, the fallout can be crippling.
Fines, often in the millions, can put a company out of business overnight. And, even if they don't, the reputational damage can be impossible to recover from.
Don't leave it until the last minute to roll out a cybersecurity strategy. At the upcoming UK Cyber Week conference, we're inviting business leaders to join hundreds of other attendees to hear from industry experts.
You'll learn about the latest threats and, more importantly, how to counteract them. Find out more on the UK Cyber Week - Expo & Conference website.