19 Mar 2014

Cyber-shame’ means never having to say you were hacked

Imagine your company gets hacked: who do you tell? The police? Trading standards? Your customers?

Now, think like a chief executive – your key concern is how it affects your company’s profits (and that could include damage to its reputation). So you tell your board of directors, but not the cops. Why? Because the police’s forensic investigation may actually end up disrupting the business and costing you money. And you can’t be sure they’ll even get your stolen stuff back.

18_hacking_g_w

You’re supposed to tell the Information Commissioner’s Office if you lose people’s personal data – but how can you tell? After all, your IT security person tells you several gigabytes of data went missing, but can’t confirm whether it was customers’ details. So no, no call to the ICO.

And, since you can’t tell whether individuals’ data went missing, there’s no way you’d consider telling your customers.

All of this adds to a condition I’ve come to call “cyber-shame”. If a bank gets held up at gunpoint, its bosses generally feel safe in the knowledge that the public will blame the crooks rather than the bank. If a company gets hacked, there’s a deep-rooted fear that people will blame the company, somehow forgetting the criminals who are actually responsible.

The net result is a culture of secrecy around corporate hacking, and this is why thousands of companies in the UK can get hit every year, losing millions of pounds and we never find out about it. It also explains why, despite three years of trying, I’ve never managed to get a corporate hacking victim to talk on-record to Channel 4 News. But that situation could soon come to an end.

New European rules will oblige companies to inform their customers as soon as reasonably possible if a data breach has occurred. And the ICO can levy fines that are a proportion of a company’s revenue (as opposed to the current set amount) – ouch.

If you want an idea of how this new system will change things, look at the US, which already operates a similar system: when companies are hit they must write to customers and tell them. The firms try to make the letters as vague as possible, but the recipients have started sending them to security researcher Brian Krebs, who hassles the companies concerned until they come clean about what’s actually happened. His tactics are a large factor in how we found out so much about the Target cyber-attack.

The Krebs storm is now coming to Europe. It’s going to be a shock.

Follow GeoffWhite247 on Twitter