The real price of hacking for brands

In our last article, we established that governments must err on the side of caution with hacking, and that handling the aftermath of a cyber attack well is of vital importance. Equally where brands are concerned, failure to protect themselves can have potentially disastrous consequences.

The Internet is a vast and ever expanding creature, hard to patrol and almost impossible to govern. According to UK newspaper The Guardian, there are now over 4,500 web-based attacks daily. The truth is this – if you have a web presence, you’ll likely be exposed to some sort of cyber crime at some point.

These attacks range from the debilitating (cyber squatting is believed to cost brands almost 1.25million SGD per year, per brand) to the embarrassing – Burger King recently had their Twitter account hacked, with all their particulars changed to promote their competitors.

Several other high profile brands have been targeted too, with Facebook, Twitter and Apple among what is thought to be almost 100 companies infected by a particularly potent, Mac-based malware virus that originated from an iPhone developer website, iPhoneDevSDK.

But it’s not always clever tech and malicious software like XSS and SQL injection that accounts for these breaches. Again, we return to human error and social engineering. No matter how much technology brands use to protect their online platforms, human beings themselves are still susceptible to being socially engineered – essentially human hacking – into giving away important information.

The truth is that many people use the same passwords for every account, and many people use simplistic passwords that combine things like their spouse’s name, his or her birthday, or anniversary date. Most people choose the simplest security question such as “your mother’s maiden name”. Once a target within an organisation is known by name, finding that information is easy via social media or a few fake phone calls.

When top secret plans for a new defense building can be found in a trashcan in downtown Ottawa, as happened in 2008, it is clear that human error remains the single largest root cause of cyber security.

And we should not underestimate the cost of hacking to brands. In 2009, a false story was published on CNN’s iReport, claiming that Steve Jobs had died of a heart attack. Although it was a hoax, Apple’s stock price dropped by 6.6 percent – a reported $(US)5.62 billion loss in market capital. The 2011 hack of Sony Playstation’s online videogame services reportedly knocked 6% off the electronics manufacturer’s share price. And this is without taking into account the additional cost from lost business and future investment requirements.

Add to this the adverse affect a hack can have on morale within the company itself, the brand’s reputation, and trust that its customers have for it, and it is clear that a hack has a detrimental effect on a brand’s value, both in the immediate short-term, but also in the restoration of a brand’s value moving forward. A Japanese analyst claimed that the Sony hack could cost Sony more than $(US)1.25 billion in costs to repair the damage done to their brand

Brands spend a lot of money on advertising and marketing; they spend time creating, reinforcing and protecting their brand. And yet, as we’ve seen, they often don’t pay enough attention to protecting that brand online, in addressing both human and technological vulnerabilities.

Here are some basic ideas on how brands can safeguard their websites from external threats:

  • People need education; need to change the way they adhere to password policies, the way they handle remote access to servers, the way they handle interviews, deliveries and employees who are hired or fired.
  • Passwords in particular are difficult. With no standards, employees tend to use the same password for everything. Enforce too stringent a standard, and employees have to resort to writing their passwords down. Clearly having your passwords written on a post-it note in your top drawer is not the ideal outcome. A balance must be found.
  • Software vendors are becoming more skilled at creating software that is hardened, or more difficult to break into. As hackers are hitting more hardened software and as software and network attack vectors, such as remote hacking, are becoming more difficult, hackers are turning to social engineering skills.
  • People are not educated in the security policies of a company and general good security practices because they believe that it will not happen to them and no one will bother reading through that information. People also take HR policies rather lightly, not understanding their own responsibilities as an employee of a company.
  • Brands should ensure their sites are tested for vulnerabilities and are maintained and upgraded. On-going maintenance can seem trivial against the up-front work and costs, but is vital to ensure software is up-to-date.
  • Brand sites should also be reviewed against common security vulnerabilities – techniques such as SQL injection and cross-site scripting are relatively easy to prevent, but leave back-doors open to technologically proficient hackers if they are not dealt with.

The fact is, no brand, however high the profile, is completely safe from the multifarious threats out there – technological, viral, physical, human. It is always difficult to protect against the human piece, because it’s almost impossible to predict. That’s why it is even more imperative for brands and organisations to get the basics right, and prioritise the security of their site. The alternative could be a very expensive repair bill.

This article was contributed by Margaret Manning of Reading Room.