Analysis: Cotton Traders hack a warning for business

gallery

But analysts also believe that the number of attacks against online credit card processing systems, and the fraudulent use of fake cards online, is increasing as a result of the success of Chip and Pin in cutting fraud on the high street.

This could be tackled by introducing Chip and Pin for remote, or “cardholder not present”, transactions. However, banks have been reluctant to do so because of the costs involved, and because it is the retailer, not the bank, that carries the cost of a fraudulent online credit card sale. Retailers alone, though, would not have the resources to prevent online card fraud altogether.

Reputational damage

What businesses can control is the way they react to an information security breach and how they go about limiting the damage. “Damage to consumer confidence and to business, especially within financial services, has been increasing (from fraud), although the full impact of e-crime is not widely understood,” said Tom Salmond, a manager in e-crime and fraud technology at Ernst & Young.

Companies should, for example, look at how well their systems can respond to changes in security threats. Ernst & Young advised using fraud detection technologies that allow “power users”, rather than IT, to update rules.

But organisations also need to update their business continuity plans to ensure that they cover information security failures, as well as physical threats such as fire or theft. A serious IT security breach might involve taking servers offline or suspending trading, yet not all businesses plan for such scenarios. Chief executives and chief information officers need to accept that whilst they try to prevent hacking attacks the business needs to be prepared if one does get through.

“Companies need to strike a balance between risk and responsiveness,” said Stuart Anderson, from the defence and security practice at PA Consulting. “They need to focus on responding in the appropriate manner when things happen – there will always be unexpected events.” Prevention, recovery from an event and crisis management are all essential parts of a plan, he added.

And companies also need to look beyond IT, even if IT systems lead to a data breach. The technical fix to a hacking attack might be relatively quick to apply, but reputational damage can last much longer.

No-one can prevent every conceivable breach. But a quick, clear and open response to customers and shareholders can do much to shore up a company’s reputation. This is a lesson that managers of SMBs should have learned, again.

Email to a friend

Print this page