2014 saw the damage caused to brands by hacking reach new heights, for example the compromising of the personal records of 109 million customers of US retailer Home Depot and up to 145 million users from eBay. What is new is not only the scale of the breaches, but now the overt involvement of nation states, with North Korea suspected of instigating the Sony crisis.
The scope of attacks has widened too: the risk to brands is clearly no longer only the theft of credit card details. The Sony hack in November included theft of its core product, in the form of the unreleased film Annie, as well as a haul of competitively sensitive material such as marketing plans and contracts with suppliers.
These are the stories that get out into the public domain and make the headlines, and companies are often reluctant to talk about this kind of problem. Ask the right people at big international brands, however, and some will have their own stories of attacks, occasionally including tip-offs from the security services.
This level of activity is beyond what many brands’ crisis management plans were designed to cope with. There has been plenty written in recent years of the need for crisis management to evolve to take account of the development of social, so I won’t repeat it here. By having robust processes and plans in place, brands can manage consumer reaction and mitigate pressure groups’ attempts to garner sympathy for their particular cause.
Social can obviously amplify the impact of a vocal minority but, while there are many notable exceptions, the raising of issues by effective campaigns that resonate with consumers can prove beneficial. In fact, in my experience they are often more effective than their organisers realise in getting noticed and finding a place on the agenda of senior management.
Hacktivist groups such as Anonymous do, of course, already use social as a tool, but the number of brands finding themselves affected by denial of service or website defacement is going to increase. The groups’ objectives are often political and use technology to encourage protest, activism or civil disobedience. The sheer number of brands means there will never be any shortage of conflicts between what certain brands are perceived to be promoting and the protest groups’ ideologies.
Criminal activities might seem a more straightforward and obvious threat needing to be countered, but there is a blurring of categories, driven at least in part by the difficulty of identifying the offending parties.
The entry of a nation state into a situation is nothing new. FBI director James Comey famously remarked a few months ago that “there are two types of big companies in the United States … those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese”. What is new is the blatancy of North Korea’s suspected attack in the Sony episode. Can we suppose the UK or any other major economy will be immune?
It is certainly no longer the responsibility of only the IT department to be aware of the risks and issues and to play a part in mitigating them. One of the first steps any organisation needs to take is to educate its workforce, including marketers, about potential threats and how to counter them.
As the digitisation of businesses and society accelerates in the next few years, it will be essential for even smaller brands to see systems and data security as a core part of their strategy.
Trust is a key part of any brand’s relationship with its consumers, and incidents like those outlined in this article will become more frequent, and potentially more damaging, to businesses and the wider digital economy. We need to be ready to cope with them.
Alex Tait has worked in senior digital roles at Kellogg Company, Arcadia, American Express and the Post Office.