Colonial Pipeline Attack Shows Importance
By Ross Palmer.
It would be hard to imagine a more vivid example of the potential consequences of a cyberattack than those that resulted from the Colonial Pipeline ransomware hack.
Colonial Pipeline is a 5,500-mile-long network carrying diesel, petrol and jet fuel across the southeastern United States – 45% of the East Coast’s supply in total. Like all modern long-distance pipelines, it relies on a computerised network of pressure sensors, thermostats, valves and pumps to monitor and control the flow through its pipes. Like many such systems, Colonial’s is connected to its administrative network, which made it vulnerable to cyberattacks.
On 7 May, Colonial was forced to shut down the entire pipeline to try to contain a ransomware attack perpetrated by an Eastern European group of hackers called DarkSide. They then paid $5 million in Bitcoin to the ransomers, who released a decrypting tool that slowly allowed Colonial to regain access to their computer network and restart the flow through their pipelines.
The fallout from the incident for both Colonial and the public was severe, with widespread gas shortages – and attendant price rises – and emergencies being declared in several states. But worryingly, it’s far from an isolated incident. In the past year, according to cybersecurity firm Bitdefender, there has been a 485% increase in registered cyberattacks of every kind and level of severity: from malware, phishing and fraudulent websites to direct hacking attacks.
This may be partly explained by the coronavirus pandemic, which has left both our work and personal lives increasingly dependent on technology to keep us connected to the world outside our homes. Many organisations do not have appropriate security in place, allowing staff who are working remotely to access business information on personal devices, without even the use of a VPN.
These are the perfect conditions for cybercriminals to exploit; indeed, a recent survey by MalwareBytes found that 20% of surveyed organisations had faced a security breach in the last year as a result of a remote worker.
Who is Most Vulnerable to Cyberattacks?
According to research by BlackFog, ransomware attacks in 2020 were most heavily targeted at the government, manufacturing, service, education and healthcare sectors, with serious data breaches at organisations including Marriott Hotels and the World Health Organization making the headlines. However, it would be a mistake to assume from this that cybercriminals are only targeting the big fish. Any organisation is potentially vulnerable to a cyberattack, particularly those whose defences are weak.
The sharp rise in remote working as a result of the Covid-19 pandemic has increased the number of potential vulnerable points in digital systems, but any business that lacks good data discipline and has poor procedures, especially regarding passwords, are all-too-easy prey for sophisticated hacking organisations. High levels of errors, rework and waste go hand in hand with a lax attitude to security, both physical and digital, and indicate a need for a business-wide tightening up – both in attitude and practices.
Guardians of Data
In 2021, to say that data is as crucial to businesses as any physical asset perhaps underplays just how important it is, and this is particularly true of customer data. When a business gathers data from its customers, it assumes a position of responsibility for it. Customers, clients and partners will not quickly forgive those organisations that fail to show appropriate diligence in caring for their personal data.
The Information Commissioner’s Office fined BA £20m for the 2018 cyberattack that compromised the data of 400,000 of its customers – including this writer’s – while Marriott Hotels was fined £18 million for its 2020 breach and Talk Talk £400,000 for failing to prevent its 2016 hack. But in all cases, the biggest damage incurred was loss to reputation. Plenty of customers – again, including this writer – will have serious reservations about trusting BA with their data in the future, and will book flights with a different carrier if possible. In this way, businesses continue paying the cost of a cyberattack long after the immediate consequences of the incident itself have been dealt with.
Data intelligence company Morning Consult recently published the results of a survey of 15,000 consumers. The top item in its list of factors that drive brand trust is “Respects and protects customers’ data, privacy and security”, cited by 74% of respondents. “Protects my personal data” was just behind, on 73%. Unsurprisingly, the biggest factor that breaks trust is a data breach (-73% of net trust).
This shows the importance of data security and privacy to customers, and demonstrates that data security is not an optional add-on; it is an integral part of the customer experience. As consumers, we expect those whose goods we purchase and services we use to look after our data responsibly and conscientiously. We expect, too, that businesses will be able to defend themselves against ransomware and distributed denial-of-service (DDOS) attacks. When they can’t, and their services go down (as Colonial Pipeline’s did), customers will naturally question everything else about the organisation. So too will clients, partners and investors.
Accurately gathering data on customer expectations and then measuring performance against those expectations allows companies to identify where they must improve their processes and skills. This is true for data security, just as it is for any other aspect of the customer experience. Businesses that are not doing this are in danger, both from losing customers to competitors with better data security processes, and from the worst-case scenario: a breach of digital security, whether malicious or self-inflicted.
What Should Companies be Doing?
Organisations that do not know or understand their customers’ expectations will not be able to make the right decisions. This goes for all areas of operation and every aspect of CX, including security of data and systems. However, gathering and understanding customer expectations requires effort and investment of resources; half measures are not enough.
Leadership must be committed to understanding what customers’ expectations are, and aligned on the strategy needed to meet those expectations. Communication across the company is crucial so that team leaders and departmental managers share the same understanding as the senior leadership team, to keep the whole organisation pulling in the same direction.
Also vital is a serious approach to the business of security – in terms of both the company’s own data and its customer data. It must be ingrained within the company’s culture. This will not only help companies to keep their own data safe, but will also create value for clients, partners and customers by role modelling best practices regarding data security.
Finally, organisations must understand that expectations evolve, and that processes and procedures must evolve with them. We have seen this demonstrated time and again during the coronavirus pandemic, as we’ve spent more of our lives online. We expect to be able to communicate online. We expect to buy all kinds of goods and services online. We expect to access financial advice and information online. As we do these things, we entrust more and more companies with more and more of our personal data, and we expect it to be stored securely.
Any organisation that fails to understand the security implications of this evolution is playing a dangerous game indeed.
The Costs of Getting Data Security Wrong
As we have seen, the biggest cost to organisations that fall victim to a cyberattack is the damage to their reputation. Reputations take years to build and can be lost overnight, as BA and Colonial Pipeline have found.
But hand in hand with loss of reputation goes the loss of customers, who will look for alternative providers, and loss of revenue – an inevitable consequence of customers, clients and partners rethinking their relationships and going elsewhere. This is before we consider the fines that must be paid to regulators, increased insurance premiums, potential loss of intellectual property, increased cost to raise debt, and the hours that must be dedicated to repairing the damage to systems and making them secure, among numerous other hidden and intangible costs.
With IBM’s 2020 Cost of Data Breach Report putting the average total cost to businesses at $3.86 million, it’s clear that companies should therefore view the financial resources required to ensure data security not as a cost, but as an investment. Its ROI may only be defined in comparison to the potential costs of not making that investment, but businesses cannot assume that they won’t ever have to pay those costs. As the Colonial Pipeline, BA and WHO attacks show, the worst can happen – and is happening increasingly often.
The Benefits of Getting Data Security Right
Understanding customer expectations regarding data security, and all aspects of the customer experience, is not an easy task. Generic tools such as off-the-shelf surveys won’t get you the data you need, and strategies born from internally held assumptions about what matters to customers, clients and partners can leave your business moving determinedly yet misguidedly in the wrong direction. Aligning leadership so that everyone understands the business’s strategic objectives can likewise be a difficult task.
Yet the benefits of meeting your customers’ expectations regarding cybersecurity are clear. Companies that embed best data security practices within their daily operations, and recognise customer data as the most precious resource they have, will be able to proceed from a position of strength their less-prepared rivals cannot share. They will also have reduced the vast financial risks of a cybersecurity incident. In 2021, this may well be the greatest competitive edge a business could have.
If your business needs help understanding customer expectations, aligning teams and departments, and establishing processes and procedures to ensure data security, talk to us today.