Don’t ask, don’t tell

British businesses are immune from cyber-threat. They must be, because when I sit down to compile the list of recent compromises I use to support my talks, the examples are always American. So it can’t possibly be happening here.

Never mind the Barclaycard-backed survey that reported that 48% of the surveyed businesses had been hit by cyber-crime, some repeatedly. Forget the IOD report that says, amongst other frightening numbers, that fewer than half of businesses provide security awareness training to staff. Ignore occasional outliers like TalkTalk, StaySure, Morrisons and Carphone Warehouse – oh, and Lincolnshire County Council.

My list for my next talk, covering point-of-sale malware, malvertising, ransomware and DDOS amongst other nasty threats, looks like this –

Target; Michaels; Goodwill; Wendy’s; Rosen Hotels; Hyatt; Safeway; Starwood (Sheraton, Westin, W Hotels); Four Winds Casino; America’s Thrift; Trump; Hilton; Staples; Home Depot;; GoDaddy; WBTV Charlotte; KMOV St Louis; AdsTerra; Taggify; LiveJournal;; MSN; New York Times; AOL; NFL; The Weather Network; The Hill; ZeroHedge – Lincolnshire CC; Hollywood Presbyterian Hospital; Lansing Water & Light

This is in no way a comprehensive list: I compiled it quickly, using public information sources, and picking the first couple of pages of hits. So why is it almost all Americans? Why so few UK businesses? Why so few Europeans? The answer is disclosure law. We don’t have one, the Americans generally – it varies by state – do. If a US company is breached and loses consumer data, they have to tell the consumer, and therefore the media.

As a result, we know a good deal about the state of cyber-security in the US. And because they have to tell consumers, most US companies automatically offer to pay for identity theft cover for customers whose data has been breached, so it’s not just security researchers who benefit.

Warren Buffett famously said that it’s only when the tide goes out that you find out who’s been swimming naked. The tide is, finally, on the ebb. In 2018 the European General Data Protection Regulation introduces a disclosure law. Companies will have 72 hours to tell the regulator if they are breached, and if there is a high risk of loss to consumers, they’ll have to tell them, too.

Come 2018 I expect we’ll see a good number of UK firms with their pants down, and the list in my talks will suddenly seem much more relevant to their audiences.

Will you be in my 2018 list?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.