Making your enterprise cyber resilient

2017 was a big year for data breaches. 2018 might just be the year when people and organisations really start to see the cyber landscape start to evolve as a consequence. Here’s why.

2017: a year of loss and consequences

 It wasn’t just the high profile cases of Equifax and Uber that suffered. Deloitte, Pizza Hut, CEX, Bupa, Zomato, Three and Wonga were all hacked. And that’s by no means an exhaustive list. Millions of names, email addresses, phone numbers, and passwords leaked from vulnerable companies into the hands of cybercriminals.

The biggest scale breach saw the loss of the Social Security numbers of 147.9 million Americans (roughly half the US population) lost. Recovering from that kind of data breach will take more than updating a password or two: the people affected will be at a higher risk of fraud of all kinds, potentially for the rest of their lives.  Lawsuits will likely follow that kind of damage and numerous senior IT and security leaders at the affected firms have already lost their jobs.

2018 so far: lessons to learn

 In 2018 data breaches are still on the rise, headlined by the Cambridge Analytica scandal in which 87m Facebook users may have had their data harvested.  Businesses are feeling the heat from attacks caused by everything from flaws in payment systems and weaponized ransomware, to misconfigured cloud storage buckets and phishing emails.  And concerns about data breaches are taking their toll on consumers and already affecting customer loyalty.

There are some clear lessons we can learn from 2017 and 2018 so far: first, know what data you have, where it’s stored, and how quickly you’ll know if you’ve been hacked.

Second, know exactly what to do in the wake of a breach – from communications to customer service. Previous attacks have seen announcements delayed by weeks, one of a series of missteps that could have been reduced if the companies had a detailed plan to follow.

Of course, you should have measures in place to protect yourself from data breaches. But you should also have contingency plans for when things do go wrong. Data breaches are an all-too-frequent fact of life. Nobody’s surprised when a company suffers a large-scale attack. But how the company handles the aftermath of a data breach can make a huge difference in limiting reputational damage.

Prepare for data breaches, not only to prevent them

Having a contingency plan for data breach has now shifted from being ‘important’ to ‘critical’ for your company in 2018. Being cyber ready and resilient is a must.  It’s not enough to simply to set up cyber defences at the perimeter anymore, breaches and attacks are now a fact of corporate life.  The speed and nature of your reaction is key to mitigating damage, maintaining your reputation and returning to normal operations.

Regulatory factors are also key.  To comply with GDPR, you’ll need to report any significant data breach to the relevant supervisory authority within 72 hours to avoid a potentially substantial fine. That means you need to have breach detection, investigation and internal reporting procedures in place that can cope with that kind of deadline.  

It’s much more than a bureaucratic exercise: reporting a breach is a chance for your company to maintain trust. Strike the right tone of humility, apology, and rapid, professional resolution – and you might be able to dodge the worst of the reputational damage, and escape with a bit of hard-won trust intact.

If the example set by 2017 is anything to go by, the consequences of getting it wrong are severe.  And that’s only going to get worse as the stakes continue to rise 2018, so make sure your company is focused on becoming truly cyber ready.

Cyber security is a key concern for organisations of all sizes. Protecting devices, networks, data and apps is an essential component of doing business. Vodafone provides security products and services to businesses of all sizes, helping you secure your business anywhere because we are everywhere. We are trusted by organisations globally, including utilities, financial institutions and government agencies. For more cyber security, insights, you can find us on LinkedIn.