In October 2015, the cyberattack on telecommunications company TalkTalk compromised personal information belonging to more than 150,000 customers. Furthermore, almost one in ten of those customers had their bank account numbers and sort codes accessed. TalkTalk profits halved following the attack, and pre-tax profits fell to £14 million in the financial year of the attack (down from £32 million a year earlier). After losing 95,000 customers in the third quarter as a direct result of the hacking, the company's share price did eventually recover over time. Even though the breach was not as harmful as initially feared, the TalkTalk reputation took a serious hit, especially when it emerged that a teenage hacker was behind the attack. TalkTalk was not helping the situation by stating that they did not know how many customer records were actually affected as a result of the attack. The Information Commissioner’s Office issued a £400,000 fine to the company for the security failings. This example shows how fragile brands could be in the current digital economy and how a teenager can do much damage to a well-established brand if this teenager is armed with a cyber tools.
Consequences of Losing Control over Your Brand
The brand attacks can create follow-on problems and legal claims that may have a serious impact on the directors and c-level executives of the company. The 2015 cyberattack by the activist hacker team calling itself “The Impact Team” threatened to expose the identities of 37.5 million users of the notorious Canadian-based extra-marital dating website Ashley Madison. On August 18, 2015 and August 20, 2015 the group leaked more than 25 gigabytes of company data, including user details. The attack was allegedly instigated by the activists to demonstrate the claim that customers of Ashley Madison could use a “full delete function” for $19 in order to remove their identifying information from the company's systems permanently was false. The attack came just two months after another dating site, AdultFriendFinder, was hacked, and as Ashley Madison was considering a $200 million initial public offering on the London exchange later that year.
The cyberattack forced its chief executive, Noel Biderman, to resign in August 2015. Already under pressure after details of the website’s 37 million users had been stolen and dumped online, his personal integrity also came under fire when leaked emails raised questions about his own marital behavior. The share price of parent company, Avid Life Media at the time saw its share price halved since the data breaches emerged and were facing the prospect of multiple legal cases of class-action lawsuits against Avid Dating Life and Avid Life Media, the owners of Ashley Madison.
The attack also exposed a number of ethical issues, which had their own negative impact. Several suicides were reported, including in Toronto, where two unconfirmed suicides were linked to the data breach, in addition to “reports of hate crimes connected to the hack”. And there was also an unconfirmed report of a man committing suicide in the US.
The Rise of Intellectual Property as the Source of Value
Denial of services, data breaches, and ransomware are insidious attacks; but they are also theoretical. I may or may not suffer from a DoS attack; I may or may not be the victim of ransomware—this is how businesses think. In a way, they try to deal with "real" or "more immediate" risks as opposed to "assumed" or "more distant" risks. However, there is another aspect to this — intellectual property.
As businesses move from selling "things" to selling services, in the contemporary digital economy the intellectual property becomes the sole point of value. The container, device, vehicle, building, or location is just means by which a business or an organization can hold or generate an IP together with its associated experiences. So, the protection of intellectual property is becoming increasingly important.
Protecting IP in the current circumstances is difficult (you can trust me here as I have written a book and quite a few papers) and usually involves, but not limited to the following types of risk-measure pairs:
The cloning risk: inhibiting cloning
The counterfeiting risk: preventing counterfeiting
The overproduction risk: preventing overproduction
The disclosure risk: using strong non-disclosure agreements
The patent copying risk: due care when filing for patent to avoid copying
The innovation speed risk: Working rapidly to develop innovations to remain competitive
The insider risk: Using separate teams to de-risk the possibility of employees, ex-employees, or contractors walking away from the company with IP
The access breach risk: using strong access control to store manuscripts, creations, and ideas in a safe place that is protected by an identity and access-management solution (the majority of all data breaches start with the theft of credentials)
The IP lock-in risk: using open-source
The third-party risk: using organisational separation
The shared IP ownership risk: Avoiding joint ventures to reduce later risks of shared ownership and legal issues.
To give several examples of how harmful the brand-related cyber threats might be, let us consider the following. A door opener locksmith company in Japan discovered that an ex-employee has stolen their intellectual property and set up his own company in Iran to make the same products. In another case, the Massachusetts based robot vacuum cleaning iRobot Roomba produced 600,000 robots in 2016 but 1.2 million were sold in China, a case of grand larceny. Interestingly, the software was identical, utilising commercial off-the-shelf chips, and the plastics were indistinguishable. iRobot also filed legal cases of IP violations against Hoover and Black and Decker, including misuse of its obstacle detection system, brush designs and navigation controls.
In a third case, an industrial controls company learned that people, who were overproducing or cloning their products, were also injecting them into the legitimate distribution channels, i.e., they were great at adding these counterfeit products to the existing market supply chain. The initial impact was a loss of sales. Then the brand owner company started receiving support calls from customers who had bought the cheap knock-offs, complaining that the products had stopped working. Customers thoughts they bought authentic products, but in fact they purchased fakes. The brand owner then had to incur significant losses of sending out repair vehicles to the industrial control systems in order to establish why they were not working. Unable to locate the problem, they had to issue and install replacements. So, not only had they not sold the initially bought items, but they also had to replace them, thus incurring both production and reputational losses. It was only when they subsequently carried out an investigation that they realised it was a clone, which was produced based on information obtained through the cyber breach.
In the modern digital economy, it is not the components and the materials but the software and the brand that produces value. Yet, software, data, and even company secrets can be stolen, and the brand can be damaged. This is particularly an issue for large original equipment manufacturers (or OEMs): they can work out all possible scenarios, but how much are they prepared to spend to protect themselves? On the one hand, they don’t know if cyber attacks on their brand will happen and it is hard to communicate the potential risks to the company board. On the other hand, they may spend hundreds of millions or more on R&D. Then the question is - would you like to protect those R&D investments of hundreds of millions and stop being ripped off? Paying a bit extra per device to protect it is usually good idea (e.g., installing digital or even physical signatures, which would allow to track the product over time). In a way, it is like the second amendment for the digital world — the ability to protect the freedoms of the spaces and things we use as well as the rights we hold.