Ever fallen over in front of other people? More often than not you probably rush to your feet and try to pretend it never happened. Well it’s a similar sentiment that makes companies so cagey when they suffer a cyber attack – even though hackings are becoming more commonplace and more difficult to deal with.
It’s not surprising that a new IoD survey of 1,000 members found one in ten firms had suffered a financial loss from cyber crime in the past year, and of those under a third reported the attack to the police. Reputation, as the old adage goes, can take a lifetime to build but only seconds to destroy. Wanting to safeguard it is only natural.
You only need to consider the go-to example of TalkTalk, whose cyber attack was predominantly played out in the public eye, to appreciate that it can impact revenues, share price and customer numbers. In the grand scheme of things the hacking TalkTalk suffered could really have been a great deal worse, but it still managed to lose 100,000 customers in the aftermath.
Despite the reasons for secrecy being understandable, there are obvious issues with taking a clandestine approach to cyber attacks. The less shared, the less learned and the more susceptible others will be to similar attacks paying off again. Realistically though, companies collectively are unlikely to do much about that unless made to.
Telecoms companies are legally required to report cyber breaches within 24 hours or face (wait for it) a £1,000 fine. That may not be enough to get the CFO out of bed for, but at least it's something. But letting other firms decide for themselves whether to report attacks seems not just risky but outdated. The European Parliament is planning a law change, so other firms running critical services like banks would have to report breaches. That could be a starting point for normalising the reporting of cyber attacks.
Businesses’ lack of strategy and know-how when it comes to cyber security has become a bit of a broken record. But while the types of attacks are likely to grow increasingly sophisticated, the situation is unlikely to improve for firms unless more information is shared.
There’s a gradually shifting perception that cyber security is a boardroom concern, not just an IT one. The next step is realising reputations could be better protected in the future, by being more upfront now about what has led to attacks. Being shamed for being the victim of cyber-criminals is bad, after all, but being shamed for trying to hide it from your customers is surely worse.