The consequences of phishing can be severe…
It’s widely reported, for example, that tech giants including Facebook and Google sent as much as $100m directly to criminals following a spear phishing campaign that went on for more than two years.
More often than not, though, the criminals behind phishing attacks aren’t attempting to steal money from companies at all. Instead, they’re attempting to steal something much more valuable: data.
When phishing attacks successfully trigger data breaches, the consequences for businesses can be severe.
Following the announcement of a data breach, a company’s reputation immediately takes a hit.
Headlines like “British Airways data breach: Russian hackers sell 245,000 credit card details” and “Uber concealed massive hack that exposed data of 57m users and drivers” become mainstream news stories… no matter how formidable a company’s PR department might be.
The reports can take years – decades, even – to fade from memory. As long as they linger, they influence public opinion.
Loss of custom
Reputational damage is really just the beginning of the backlash.
News of a data breach tends to make customers nervous. In November 2017, two months after a high-profile breach at US credit reporting agency Equifax, as many as 40% of credit card holders said they didn’t trust Equifax with their financial information at all.
Similarly, after 157,000 of TalkTalk’s customers had their data compromised in 2015, customers left in their thousands. The company’s eventual financials revealed the true costs of the breach to be around £60m in 2016 alone. The ramifications, as you can image, will continue for years to come.
Loss of company value
Breaches don’t just affect consumer confidence. They impact investor confidence, too.
Following the compromise of Facebook user data in 2018, Facebook’s valuation dropped by $36bn – a loss from which (at the time of writing) the company is yet to fully recover. In public companies, the pattern is clear: following a breach, company value decreases.
Financial penalties for the misuse or mishandling of data have been in place for decades. Under GDPR, the penalties can total €20 million or 4% of a company’s annual global turnover – whichever is higher.
GDPR is a relatively new framework and, at the time of writing, we’re yet to see how sizeable fines following data breaches might be. If regulators choose to issue maximum penalties following breaches (as they did under the data protection act following the misuse of data at Facebook), fines could be substantial.
No matter how small a breach might be, breaches inevitably lead to business disruption.
After being infected by malware in 2017 (most likely following a phishing email), the advertising multinational WPP instructed its 130,000 employees to “immediately turn off and disconnect all Windows servers, PCs and laptops until further notice.”
It took the company days to resume normal service.
Safeguarding against phishing
Phishing filters can help but, unfortunately, no phishing filter is 100% effective.
Clearly, though, the people who receive phishing emails have the power to identify, report and negate the phishing threats that phishing filters fail to spot.
For a long time in cyber security, people have been seen as a weakness. By treating people as a defence, businesses can arm people with the tools and training they need to counter phishing threats.
More and more security experts are adopting the idea of people as a defence. In time, we believe the trend will continue.
After all, the consequences of phishing can be severe.