Investors have watched the fallout from Facebook’s handling of its latest data breach scandal with interest, worried that senior management at listed businesses around the world are even more poorly prepared to handle such a breach than the social networking behemoth.
Since the Cambridge Analytica story broke in March, Facebook has been slapped with a fine, seen a slowdown in user growth, and has become the punching bag for commentators looking for a tech giant to blame for all society’s woes from Brexit to Donald Trump. The “big blue app” may hold details on more users than any other company, but if a company that employs a number of the world’s most talented software engineers could fall foul of bad actors and hackers looking to steal information, what hope is there for older companies that have only recently turned digital?
The recent Facebook revelations are the latest in a series of hacks that has seen millions of people’s names, email addresses, and sometimes passwords and other information exposed. LinkedIn, Yahoo, Google, Adobe, and many of the other leading lights of technology have had their user databases compromised over the past decade. And these scandals have left huge troves of personal information available on the dark web at depressingly low costs.
The most recent large-scale scam to take advantage of this data was an exercise in simple extortion. One or more hackers with access to these databases of names, emails, and passwords, sent out simple mail-merged emails to potential victims, addressing them by name and most worryingly included their own password as a measure of “proof” the scammer had the details they threatened to expose. People are aware that they should use different passwords for every account, but in reality, the large proportion of people use the same word or phrase for each account and when they see a message from someone claiming to have private information on them, publishing that password can scare many people into acquiescing to the hacker’s demands for up to $3,000 in Bitcoin.
This scam highlights just how easy it is to get hold of private information on millions of people in today’s world, and governments have begun to act to protect their citizens against the lax security policies of many well-known companies. The European Union has led the way with the introduction of the GDPR, which imposed a duty on all organisations to report such breaches to the relevant supervisory body within 72 hours, and also inform the users affected “without delay”, and many other countries are following suit.
These regulations have given investors further impetus to examine the digital risks and data security procedures of companies in which they hold shares. A corporation found to have failed to protect its users’ information will now have to face both a backlash from consumers angry about their details being leaked and a series of fines and other measures aimed at punishing those found to be lacking.
Historically, it has been difficult for investors to understand the digital risks of their investments because board directors have not been prepared to talk about such issues. However, with high profile breaches hitting the news seemingly every month, and legislators now starting to show their teeth on the issue, investors have begun asking tough questions about how firms are handling the rapid pace of technological change, and boards have been forced to engage with the issue.
Cyber security is slowly moving out of the realm of the line “tech specialist” and into the wider business world, as investors and management begin to understand that a breach could not just be embarrassing but also expensive in both financial and reputational terms.