Cyber Monday is upon us, which means millions of consumers the world over will enter their credit card details into retailer’s websites, hoping to get the best deal on everything from TVs to toys. Retailers have been flooding our inboxes with deals and last-minute discounts, hoping to entice us onto their sites and part with our cash. And after today, the offers won’t end – we’ll be reminded continuously for the next few weeks of deals and offers as the UK high street attempts to capitalise on our festive generosity.
Advice to businesses over the last few years has focused on ensuring website platforms are resilient enough to cope with a surge in demand. Corporate red faces in past festive shopping periods have previously been reserved for those retailers that couldn’t keep up with demand. But these days, we’ve seen a much bigger corporate reputational risk emerge.
While Black Friday weekend used to be reserved for store visits, 80% of consumers now choose to buy online. Last year, UK consumers spent almost £1.5bn online in one day, with this figure expected to treble this year. The reality of our evolving shopping habits, and the exponential growth of our data footprints, means that consumer data is more at risk than ever. Some dubbed Black Friday as “Hack Friday”, with the flurry of online activity also attracting those wishing to steal consumer details in bigger numbers.
Consumers are being advised not only to check that deals are genuine and offer good value, but that the retailer’s website is trustworthy. However, as millions reach for those online baskets, research shows that consumers are more likely to put discounts before data privacy. And yet, consumers will hold retailers to account if cyber security procedures are found wanting.
What happens when a cyber breach occurs?
Companies need to be aware that if a breach occurs consumers will look to them to notify them, provide details of what happened, and reassure them that they’ve fixed the breach. Lost trust means lost revenues, so it’s imperative that companies to get this right especially during such a critical sales period.
Of course, the first step in avoiding a cyber breach is to have the right operational and cyber security measures in the first place. Fortunately, we’ve seen cyber security rise up the corporate agenda, with many companies employing experts to prevent attacks from happening in the first place. But, attacks are still commonplace.
In the last month we’ve seen airlines, online retailers and local government suffer breaches in one form or another. So while there’s clearly a pressing need for companies to improve internal resilience and security, coping with the aftermath of a breach is almost as crucial. As many technical experts will tell you – for most it is a matter of when there is a breach rather than when.
A loss of consumer trust is just one side of the coin. The potential damage is compounded by the risk of failure to comply with the duties set out by GDPR, which brings with it not only potential very large fines of up to 4% of annual turnover, but the public scrutiny of government, customers, shareholders and the media. Scant business news over the festive period means that media scrutiny of any festive cyber breach has the potential to be intense.
How to respond to a cyber breach
Responding to a data breach requires companies not only to act appropriately in the event of a breach - by self-reporting and informing customers or clients, for example. But crucially, companies are also expected to have taken steps to reduce the risks of a data breach happening in the first place and ensure they have the right reporting mechanisms in place if it does.
Companies need to make sure that they have considered what would happen in the event of a data breach. Do they have established protocols internally for rapidly mobilising an incident response team to deal with such a situation especially during the holiday season?
This incident response team should be made up of IT, business management, legal and communications as cyber security is no longer simply a technical issue and alongside IT, legal and communications teams will have a critical role in managing the impact of any breach. Do the incident response team members know their roles, and do their deputies also know what to do? In the holiday season it is very possible that key staff will be on holiday if an incident occurs.
Companies should consider how they would report a personal data breach to the Information Commissioners office within 72 hours of becoming aware of it (under GDPR) and how they would communicate with their customers, suppliers and staff if needed?
The last quarter of the year is a vital time for retailers in terms of sales, but to ensure a happy festive season for everyone, crisis management planning around cyber security should be on everyone’s Christmas list.