In our post of 31st December 2015, we discussed the lessons learned from the TalkTalk cyber attack debacle. Now TalkTalk have published their Q3 results, offering a truer picture of the costs to date.
The original emergency damage forecast in November by the telecomms company was £30-£35 million (largely for unconditional free upgrades for customers and £15 million in reduced trading revenue). This has now been doubled to £60 million.
Additionally, and of little surprise, there has been significant reputational loss, resulting in the loss of 4% of their customerbase (some 101,000 customers), following the attack.
Recovery will be slow and despite City share prices rising 5% this morning, this follows a 30% drop following the attack at the end of October 2015.
This, in a week where it was revealed that two other organisations felt the pain of attack:
• Lincolnshire County Council’s systems shut down for four days following a malware attack contained within an email and a document that was opened in error by staff. The £1m ransom was not paid and staff have been working off paper all week. CIO Judith Hetherington-Smith said: “People can only use pens and paper, we’ve gone back a few years. [The attack] happened very quickly. Once we identified it we shut the network down, but some damage is always done before you get to that point – and some files have been locked by the software. A lot of the files will be available for us to restore from the back-up.”
• HSBC was also hit on Friday 29th January when customers couldn’t access their personal bank accounts. It was a DDoS attack and whilst HSBC sought to assure customers on Twitter stating they “successfully defended their systems“, the process to restore then caused considerable disruption for their customers. The timing couldn’t have been worse for many; the first pay day after Christmas, and the last working day before the tax return deadline.
What this amply illustrates is the urgent need for businesses to change their behaviours and instead of relying on a dim hope that they won’t be the target of an attack at some point in the future, businesses should assume they will be attacked.
NB. Whatever the size of your company you are at risk. So ensure that proper IT governance steps are undertaken through pen testing, robust cyber defence software, allied to round the clock monitoring and threat intelligence to put yourself in a stronger position defensively and an agile stance for responses. That way you start to stem financial loss and costly reputational damage.