The ongoing fall-out of the cyber attack on Marks and Spencer — five weeks after the attack it looks like the U.K. retailer will take a £300 million (£403 million) hit to operating profits, while CEO Stuart Machin faces losing a substantial proportion of his pay — is yet another example of the disruption that such action can cause. While speculation continues about who exactly was behind it, and similar ones on other groups, it is a reminder of how vulnerable even the largest organisations are to hacking.
Coming at a time of great political and economic uncertainty, the last thing already over-stretched executives need is another issue to keep them awake at night. But the fact remains that the more we all rely on technology the greater the risk of it turning around to hurt us. Moreover, such is the pervasiveness of that reliance, abandoning technology in search of total security is just not an option. Organizations just have to learn to live with it and to create systems that minimize the risk of successful attacks in the first place and then isolate the incursions so that they do not take down the whole enterprise.
One of the reasons that these attacks receive so much attention is that they almost invariably involve breaches of customer information. This is not only understandably worrying for the customers but can also have a serious effect on the organization’s reputation.
Some idea of how difficult it is to deal with a threat that is both ever-present and ever-changing is conveyed in research published earlier this month by SurveyMonkey, the platform for surveys and forms. While 95% of U.K. businesses said they understood and met all requirements of the General Data Protection Regulation, more than half admitted to experiencing data-related issues since the regulation was introduced seven years ago. Of these British businesses, 16% had faced the consequences of a GDPR-related fine or penalty and 18% had experienced an official warning or investigation by a data protection authority.
In an interview, Eric Johnson, SurveyMonkey’s CEO, accepted that the introduction of the regulation had shaken the technology industry and that the rules could be expensive to adhere to and pose a challenge to how things were done. But he added that his company regarded compliance as a cost of doing business, and urged companies to adopt best practice. SurveyMonkey claims to have had a strong security and privacy program for some time, but it has responded to customers’ desire for more transparency by launching the Trust Center as a one-stop hub offering guidance, resources and security assurances for businesses dealing with the difficulty of keeping abreast of legislation and customer expectations.
One particular issue arises from technology constantly both doing more and posing more of a threat. As a result, businesses could not set up a program and then forget about it, said Johnson. While pointing out that the majority of U.K. businesses were concerned about using AI, he added that there was an opportunity to “fight fire with fire” by using the capability of AI to help with the detection of risks.
In the end, though, it appears to come down to vigilance and trust. Indeed, 92% of the U.K. businesses questioned by SurveyMonkey said that adhering to GDPR and data privacy laws had given them a competitive edge by strengthening customer trust, with 85% confident that their clients fully trusted their data privacy practices. Moreover, they were working hard to vet third-party vendors. Although 91% of businesses felt confident in their service providers’ handling of data, 89% insisted on clear proof of compliance and security before partnering and 78% had cut ties with vendors over concerns about GDPR or data security.