Tag Archives: Reputational Damage

“UK businesses could spend £1.2 million recovering from a cyber security breach” states new research from NTT Com Security

Most business decision-makers in the UK admit that their organisation will suffer from a cyber security breach at some point. They also anticipate that recovering from a data breach would cost upwards of £1.2 million on average for their organisation. That’s according to the Risk:Value report issued by information security and risk management company NTT Com Security, which surveyed business decision-makers in the UK as well as the US, Germany, France, Sweden, Norway and Switzerland.

While nearly half (48%) of UK business decision-makers say that information security is ‘vital’ to their organisation, and just half agree it’s ‘good practice’, a fifth admit that poor information security is the ‘single greatest risk’ to the business ahead of ‘decreasing profits’ (12%) and ‘competitors taking market share’ (11%) and on a par with ‘lack of employee skills’ (21%).

Well over half (57%) agree that their organisation will suffer a data breach at some point, while a third disagree. One-in-ten state that they simply don’t know if this will be the case.

Respondents estimate that a breach would cost them an average of £1.2 million, even before ‘hidden costs’ like reputational damage and brand erosion are taken into consideration. Again, on average it would take around two months to recover from a breach. Respondents to the comprehensive survey also anticipate a 13% drop in revenue, on average, following a breach episode.

Starting to hit home

The survey shows that recent high-profile data breaches are starting to hit home. A similar report published by NTT Com Security in 2014 revealed that 10% of an organisation’s IT budget was spent on information security compared to 11% this year. However, in the latest report, around a quarter (23%) of UK businesses reveal that more is spent on Human Resources than information security.

In terms of remediation costs following a security breach, nearly a fifth (18%) of a company’s costs would be spent on legal fees, 18% on fines or compliance costs, 17% on compensation to customers and 11% set aside for third party remediation resources. Other anticipated costs include PR and communications (14%) and compensation paid to both suppliers (12%) and employees (11%).

CyberPadlock1

According to the report, the majority of respondents in the UK admit they would suffer both externally and internally if data was stolen, including loss of customer confidence (66%) and damage to reputation (57%) as well as suffering direct financial loss (41%). Over a third of decision-makers (34%) expect to resign (or expect another senior colleague to do so) as a result of a breach.

Stuart Reed, senior director for global product marketing at NTT Com Security, commented: “Attitudes towards the real impact of security breaches have really started to shift. That’s no surprise given the year we have just had. We’ve seen several major brands reeling from the effects of serious data breaches, and struggling to manage the potential damage, not only to their customers’ data, but also to their own reputation. While the majority of people we spoke to expect to suffer a cyber security breach at some point, most fully expect to pay for it as well, whether that’s in terms of third party and other remediation costs, customer confidence, lost business or even, possibly, their jobs.”

Who’s responsibility is it anyway?

*41% of UK organisations have a disaster recovery plan in place, with 40% having a formal security policy in place. In both cases, almost half are in the process of implementing or designing one

*When it comes to responsibility for managing the company’s recovery plan, 15% say the CEO now has responsibility, although this still largely falls to the Chief Risk Officer (CRO), the Chief Information Officer (CIO) or the Chief Security Officer (CSO)

*While 77% agree it’s ‘vital’ their business is insured for security breaches, only 26% have dedicated cyber security insurance. However, 38% of those questioned are in the process of obtaining a policy

*One-in-five respondents in the UK say they don’t know if their organisation has any type of insurance in place to cover for the financial impact of data loss or an information security breach

“It’s encouraging to see that almost all UK businesses now have a disaster recovery and formal information security policy in place, or are at least planning to implement one soon,” added Reed.

“Clear, concise internal processes and policies for employees and contractors have so often been overlooked, and this is what can lead to complacency and poor security hygiene. When we talk to clients, we make it absolutely clear that educating staff about security should be a top priority, supported all the while by clear and simple procedures and backed up by a solid incident response plan.” 

*The Risk:Value Executive Summary report can be downloaded here

Leave a comment

Filed under Risk UK News, Uncategorized

Standard protecting food from malicious and deliberate attack revised by BSI

BSI has revised its PAS (Publicly Available Specification) that safeguards food and drink against malicious tampering. PAS 96 Defending Food and Drink was first published in 2008 as a guide to Hazard Analysis Critical Control Point (HACCP) which identifies and manages risks in supply chains.

The food and drinks industry is used to handling natural errors or mishaps within the food supply chain, but the threat of deliberate attack – although not new – is growing with the changing political climate. Ideological groups can see this as an entry point to commit sabotage or further criminal activity.

Therefore, the impacts of threats to the food supply chain are great. They can include direct losses when responding to acts of sabotage or paying compensation to affected producers and suppliers, customers and distributors. Trade embargoes may be imposed by trading partners and longer term reputational damage may occur as a result of an attack.

David Fatscher, head of market development for sustainability at BSI, explained: “It’s not just events such as the horse meat scandal and the subsequent Elliot Review that realise a need for clarity in the food supply chain. As issues such as ‘Food Terrorism’ become more of a reality, businesses need to be extra vigilant and confident that they’ve set up the basic practices on keeping their supply chains ‘sabotage free-. PAS 96 was specifically designed to minimise the risks associated with deliberate attack, enabling businesses to stay one step ahead and not suffer damage to their reputations.”

BSI has revised PAS 96

BSI has revised PAS 96

The revision of PAS 96 includes the introduction of the Threat Assessment Critical Control Points (TACCP) risk management methodology. The TAACP process will help businesses of all sizes avoid and mitigate threats to their food supply chain.

The development of PAS 96 was sponsored by the Department for the Environment, Food and Rural Affairs (Defra) and the Food Standards Agency.

What PAS 96 can do

• Introduce the TAACP process
• Offer scenarios on how TAACP may be applied in existing businesses
• Provide guidance to food business managers through approaches and procedures to improve the resilience of supply chains to fraud or other forms of attack
• Aim to assure the authenticity of food by minimising the chance of an attack and mitigating the consequences of a successful attack

PAS 96 will benefit all organisations, but may be of particular use to managers of small and medium-sized food enterprises who may not have easy access to specialist advice. It’s of value to those involved in manufacturing, purchasing, supplying and selling food products.

David Fatscher of BSI

David Fatscher: head of market development for sustainability at BSI

Some of the organisations involved in the development of PAS 96 have included Agrico UK Limited, the Department for Environment, Food & Rural Affairs (Defra), the Food Standards Agency, the Global Food Security Programme, Heineken UK, J Sainsbury plc, McDonald’s Europe and Tesco.

Other businesses involved in the standard’s development are Bakkavor, Cargill, GIST Limited, Hilton Food Group plc, Leatherhead Food Research, Raspberry Blonde and SSAFE.

Leave a comment

Filed under Risk UK News

CrowdControlHQ: “IT directors ignore social media risks at their peril”

Marc Harris (Chief Technical Officer at CrowdControlHQ) examines the issues facing IT directors from the use of social media.

Many IT directors operate their own personal Facebook and LinkedIn accounts. However, when it comes to corporate social media they pass responsibility for management of same to the Marketing Department. Are they doing so at their peril?

Let me start with the elephant in the room, namely the role of the IT director. After an extensive IT career in the media, telecommunication and technology sectors recent experience has led me to conclude that social media needs to be firmly at the top of the priority list of every IT director.

In my current role, I see at first hand the impact of reputational damage realised by both internal and external sources through the use of social media, and find it surprising how few IT directors are willing to discuss the issues or attend conferences on the subject. Perhaps they feel an unwelcome interference or ‘elbowed out’ by this new communication channel which has evolved extensively under the umbrella of marketing?

In future, the organisations succeeding in the social media space will have Marketing and IT Departments working seamlessly together to tackle the issues. The ‘DNA’ of IT makes it the most qualified department to deal with some of the risk issues that surround social media, so why isn’t it more involved?

Today, social media is being used in every aspect of business, from the Boardroom right through to the delivery of customer service. By its very nature, social media is a collective responsibility. Not surprisingly, its reliance on ‘collaboration’ has in some instances manifested itself as ‘sharing’ responsibility for posting of content… and even the sharing of passwords!

New rules now apply

I once overheard a social media officer quite gleefully boasting the fact that they had the Twitter login to hand for their company chairman. When challenged, the officer admitted that he was ‘The Chosen One’. If he was off sick that was it – no tweets or updates! Worse still, if he left the organisation he had the power to bring the place down tweet by tweet.

This is the stuff that would have kept me awake at night as an IT director, yet in a world powered by social engagement new rules seem to apply.

Marc Harris: CTO at CrowdControlHQ

Marc Harris: CTO at CrowdControlHQ

Recent research also reported that a scarily large number of employees still use the dreaded Post-It note to record their login usernames and passwords, stuck to walls, desks and even the computer screen. Apparently, we’re not coping well with the need to access everything online from social media to our weekly shop and fear our mobile devices could be pinched. We’re reverting to pen and paper, it seems.

This practice can only end in tears. There have now been too many examples of ‘rogue’ tweets, no audit trail of who posted them (or why) and organisations – who, frankly, should have known better – being left rosy cheeked, so why is this practice still so rife?

Why would an employee, with their job on the line, ‘fess up’ when they know that at least 15 other people had access to the account that day?

I also believe that few IT Departments have a handle on the number of users across their ‘official’ social media accounts, let alone a log of which password protocol they are using, how they are accessing the site or posting.

Need to look both ways

We cannot just blame the employees. Even organisations with the most robust and celebrated IT protocols let themselves down when it comes to simple issues such as data storage. I suspect very few IT directors are crystal clear about where their marketing communications teams are storing their social media campaigns, let alone harbour an understanding of the conversations from the past that they may need to reference in the future or where they keep their notes about their customers linked to these campaigns.

I would hazard a guess that many IT Departments are breaking their own compliance and governance issues when it comes to social media.

Today, there’s no need to share passwords. The social media ‘savvy’ have cottoned on to tiered password access, with both the IT and Marketing Departments having an ‘on/off’ switch to give them instant control in times of crisis. If IT is involved in the installation of a Social Media Management Solution (SMMS) they can see exactly who is plugged into the system, where accountability lies and who they need to train and develop to uphold the security protocols needed in order to keep an organisation’s reputation intact.

Within the scope of most IT budgets a SMMS will be a drop in the ocean but will address these major issues. Any smart IT director will already be looking at a SMMS if there isn’t already one in place. Such a system gives control back to the organisation. All passwords are held in one place such that accounts are not owned by individuals but by the company. The right system gives an organisation the ability to moderate content at a senior level. In turn, the risk of misuse or mistakes can be eradicated.

A SMMS also takes care of the practical management issues. I fear that some organisations are taking a step backwards in terms of their technological evolution, reverting to time-wasting, ineffective manual processing of social media (eg multiple logins to different social media platforms rather than using readily available tools for automation and effectiveness).

The message is clear. IT directors ignore social media at their peril. When it comes to corporate social engagement, it’s time for them to wake up, check and challenge.

Leave a comment

Filed under Risk UK News

“Businesses facing high costs of supply chain disruption” states BCI’s research

Business Continuity Institute (BCI) research has exposed the high costs that businesses are facing as a result of supply chain disruptions in this increasingly interconnected world. Nearly a quarter of businesses surveyed have suffered from disruptions within the past year that cost in excess of €1 million, with 40% of them not having sufficient insurance to cover those losses. 20% were only insured against half of these losses.

Organisations simply cannot bury their heads in the sand and pretend an incident will never happen to them. The BCI survey shows that 76% of respondents had experienced at least one supply chain disruption during the previous twelve months, yet a quarter of respondents (28%) still had no business continuity arrangements in place to deal with such an event.

Supported by global insurer Zurich Insurance Group, the BCI report concludes that supply chain disruptions are costly and may cause significant damage to an organisation’s reputation.

While the survey results indicate a growing awareness of business continuity and its role in ensuring supply chain resilience, many organisations have yet to improve on their reporting and business continuity arrangements. Budgets for business continuity and ensuring supply chain resilience are often slashed in favour of other priorities, but this latest study demonstrates why such a move is often found to be an unwise course of action.

With the growing cost of disruption worldwide and the potential reputational damage caused as a result of failing to have appropriate transparency in the supply chain, investments in this area are essential and can make the difference when disaster strikes.

Business Continuity Institute research has exposed the high costs that businesses are facing as a result of supply chain disruptions in this increasingly interconnected world

Business Continuity Institute research has exposed the high costs that businesses are facing as a result of supply chain disruptions in this increasingly interconnected world

Further findings from the research are as follows:
• 78.6% of respondents don’t have full visibility of their supply chains
• Only 26.5% of organisations co-ordinate and report supply chain disruption on an enterprise-wide basis
• 44.4% of disruptions originate below the Tier 1 supplier
• 13% of organisations don’t analyse their supply chains to identify the source of the disruption
• The primary sources of disruption to supply chains in the last 12 months were unplanned IT and telecommunications outages (52.9%), adverse weather conditions (51.6%) and outsourced service failure (35.8%)
• Loss of productivity (58.5%) remains the top consequence of supply chain disruptions for the sixth year running
• Increased cost of working (47.5%) and loss of revenue (44.7%) are also more commonly reported this year and round out the Top Three
• Respondents reporting low top management commitment to this issue have risen from 21.1% to 28.6%. This is a worrying finding as low commitment is likely to coincide with limited investment in what is a key performance area
• The percentage of firms having business continuity arrangements in place against supply chain disruption has risen from 57.7% to 72.0%. However, segmenting the data reveals that small and medium-sized enterprises (SMEs) are less likely to have such arrangements in place than large businesses (with scores of 63.9% and 76.2% respectively)

Commitment to business continuity

Lyndon Bird FBCI, technical director at the BCI, commented: “Should we be alarmed by some of the figures revealed in this survey? Perhaps so. Should we be surprised by them? Probably not. As long as organisations are failing to put business continuity mechanisms in place, and as long as top management is failing to give this issue the level of commitment it requires, supply chain disruptions will continue to occur and they will continue to cost organisations dearly. In our globally connected world, these supply chains are becoming ever more complex and more action is needed to make sure that an incident in one organisation doesn’t become a crisis for another.”

Nick Wildgoose, global supply chain product leader at Zurich Insurance Group, commented: “Top level management support is fundamental to driving improvements in supply chain resilience. I’ve witnessed the significant disruption cost reductions can have in this area. This should be regarded as a business change programme in the context of driving value through supplier relationship management and becoming the customer of choice for your strategic suppliers to improve your business performance.”

Now in its sixth year, the BCI’s annual Supply Chain Resilience Survey has established itself as an important vehicle for highlighting and informing organisations of the importance of supply chain resilience and the key role it plays in achieving overall organisational resilience in today’s volatile global economic climate.

The outcomes of previous surveys have provided organisations with critical insights and valuable information to support the development of appropriate strategic responses and approaches to mitigate the impact and consequences of disruptions within their supply chains.

In terms of this year’s online survey, 525 respondents emanated from 71 countries working in 14 SIC industry sectors. The majority of respondents were from outside the UK.

A major survey from State of Flux – entitled: ‘2014 Global Supplier Relationship Management Research Report’ – was published on 6 November and reinforces the importance of this area as part of overall business performance.

Leave a comment

Filed under Risk UK News

PwC Global Economic Crime Survey 2014: ‘Staff frauds on the rise’

PwC’s Global Economic Crime Survey 2014 states that the number of frauds committed by staff as opposed to those outside of an organisation has risen from 34% in 2011 to 41% in 2013.

The survey also shows that the profile of the typical fraudster is changing. Previous surveys found that middle management were often behind economic crimes. Now, the findings reveal that most economic crimes carried out by someone inside an organisation are by junior members of staff.

According to the survey of over 5,000 businesses (including nearly 400 from the UK), internal fraudsters are most likely to have been with a company less than five years.

Ian Elliott, PwC’s forensic services partner and author of the new report, commented: “Our survey shows the changing face of white collar crime in Britain today. More and more companies are feeling the pain as economic crime continues, despite ongoing attempts to tackle it. Organisations need to be ever-vigilant for suspicious transactions.”

UK businesses continue to suffer financially from fraud

UK businesses continue to suffer financially from fraud

Elliott added: “People may be feeling the effects of increases in the cost of living, giving them more incentives to turn to crime. As such, employers need to make it difficult for their staff to commit crimes. They cannot afford to be complacent.”

Watch a video of PwC’s Ian Elliott outlining key points uncovered by the survey

Type of fraud is changing

The survey findings record a fall in the number of UK organisations reporting economic crime, from 51% in 2011 down to 44% in 2013. However, fraud in Britain is still higher than the global average of 37%.

The type of fraud is also changing, with less accounting fraud as fraudsters turn to high-tech ways of committing economic crime. At the same time, companies have improved their internal controls and, as such, have made life more difficult for potential fraudsters.

Infographic showing key findings of the latest PwC research

There has been a small drop in the reported level of cyber crime which, at 24%, is down from 26% in 2011. Cyber crime was also responsible for 24% of all reported frauds.

UK businesses are more aware of the risks than ever – and more aware than their global counterparts (63% compared to 48% globally).

“Many people may not be reporting cyber crime simply because they don’t know it has happened, or because they want to keep it contained,” explained Elliott. “They are concerned about what effect it has on their reputation. It’s also important to remember that it’s not a technology problem. It’s a human problem, and the internal threat needs to be taken as seriously as the threat from outside an organisation.”

Less than a third of Board members (32%) reported fraud in their organisations, but below Board level this climbed to 63%.

For the purposes of the PwC survey, economic crime is described as: “The intentional use of deceit to deprive another of money, property or legal right”

For the purposes of the PwC survey, economic crime is described as: “The intentional use of deceit to deprive another of money, property or legal right”

“Increasingly,” continued Elliott, “we’re seeing fraud on the Board’s agenda but there is still a gap between what is being reported by the Board and the reality of what is taking place in British business today.”

Changes to policies and procedures

UK businesses continue to suffer financially from fraud. 52% felt the financial impact had increased in the last two years compared to 42% globally, but high value financial losses in the UK were lower than on the global stage (at 15% compared with 20% suffering losses in excess of $1 million).

As a result of the Bribery Act, which came into force in 2011, 87% of British organisations have made changes to policies and procedures and 37% have had a major overhaul of their anti-bribery policies.

“With little or no growth in the UK in the last few years, many British companies have looked overseas to some high risk markets,” outlined Elliott, “but they need to be on the alert for the potential bribery risks they may face when operating in these markets.”

UK businesses take a dim view of fraud and, in 88% of cases, it leads to dismissal compared to 79% globally. The police were called in to companies in 63% of cases compared to just 49% of frauds around the world.

In conclusion, Elliott explained: “When employees just receive a warning, or are transferred to another department, it sends out a message: the business tolerates fraud. However, UK bosses have taken a stand. They will not let employees get away with defrauding them, even if it means negative publicity for them as a result.”

About the survey

For the purposes of the survey, economic crime is described as follows: “The intentional use of deceit to deprive another of money, property or legal right”

In the UK, 372 people responded to the online survey. Respondents are from a mix of different sectors and represent listed, private and public sector organisations

60% of respondents to the PwC survey were senior executives

For the full UK and global report visit: http://www.pwc.co.uk/crimesurvey

To watch the live webcast at 11.00 am on Wednesday 19 February go to: http://www.pwcplayer.com/webcasts/2014_02_global_economic_crime_survey

Leave a comment

Filed under IFSECGlobal.com News