Dixons Carphone, explaining its massive cyber security breach in a full page notice in today’s Times, says: “We’re extremely sorry about what has happened – we’ve fallen short here.” They’re right, they have – not least in the fact that it apparently took them until this summer to identify a breach that occurred in 2017.
Taking steps to shut the stable door after the horses have bolted, Dixons Carphone is trebling its investment in cyber security. Trebling – plus expenditure on advertisements, breach reporting, regulatory fines and, of course, the inevitable reputational damage. And this sort of debacle tends to be not so good for the careers of senior directors – particularly those responsible for cyber security, compliance and risk management.
There are two obvious lessons to draw from this mess:
- You’re going to be attacked – and, even though you think your cyber defences are adequate, you’ve probably already been breached.
- Treble your expenditure on cyber security NOW – it will cost less than if you are forced to do it later, when you will also have to absorb all the non-value adding costs of dealing with a reputational and regulatory disaster like this.
What should you do: invest in ISO 27001 certification, BS 10012 certification, regular internal and external penetration tests, repeated staff training and awareness (e-learning), and well-prepared incident response teams.