A recent story unfolded from the United States about a sophisticated hacking which led to share price manipulation and thousands of people being duped into buying or selling stocks.
As corporate hacking becomes an everyday incident, every chief executive should be sitting up and thinking about their own business.
In this blog I want to look at the business impact of technology risks and what you should be checking and doing in your business.
In the summer the papers were full of Ashley Madison stories – this is the ‘online discreet dating and extramarital affairs’ site. The media presented the Ashley Madison dilemma as a morality tale. The revelations were wide ranging – from the fact that 40,000 ‘women’ had just six email addresses – to reports of two suicides in Toronto attributed to leaks of their extra marital affairs. The leaks were embarrassing for many and tragic for a few.
We should all learn from Ashley Madison – not because private lives might be exposed but because a company’s very survival may be at risk. What Ashley Madison shows is the danger of not putting cyber security front and centre of business risk. It was not as if their bosses didn’t understand hacking risks – apparently they had hacked a number of their competitors.
Why were they so blind to the threats of their own businesses? In a PwC survey 69% of CEOs said they were concerned that cyber security – including lack of data security – was a threat to their growth. Does that mean 31% of CEOs have their heads in the sand?
Sony dismissed the cost of last year’s hacking as ‘not material’ at $15 million. But that is the measurable cost of reparation. What was the damage to relationships with the likes of Angelina Jolie – called a ‘minimally talented spoilt brat’ in one executive’s leaked email? Or to the credibility of those trying to attract talent to their studio and negotiate contracts? To say the least.
The financial story in the United States is perhaps even more chilling because of its subtlety. Hackers stole 10 million customer e-mail addresses from Dow Jones, 4.6 million from Scottrade and more from JPMorgan Chase and E*Trade Financial.
From 2012 to mid-2015, the suspects and their co-conspirators (the case is ongoing) manipulated dozens of publicly traded stocks, sent misleading pitches to clients of banks and brokerages whose e-mail addresses they’d stolen, and profited by using trading accounts set up under fake names, prosecutors say.
The others mentioned here by more sophisticated and dangerous types.
Just look at this Bloomberg article on the worst corporate hack attacks in 2014/15 to see the enormous scale of this problem – the one that hits me is Ebay had 145m records stolen. And just look at how the share price drops as each hacking announcement is made.
So what should your business do? I have covered a lot of the principles in my report, March of the Robots … into the Boardroom.
This is not about getting ‘cyber consultants’ to work with your IT team. Board members need to be as comfortable with technology as they are with the finances. This doesn’t mean every board member has to be able to prepare a profit and loss account – but you expect your executives to look at the P&L and interrogate it intelligently, spot the gaps, challenge where your money is going.
And you probably need to start working with a lot more younger people – they will spot your gaps and won’t be afraid to ask the stupid questions.
Don’t rely on your IT teams. Start learning and being interested. You could save your job and your company’s reputation, protect millions of your customers as well as your share price.