'The damage to reputations will put companies out of business' - cybersecurity expert Graham Cluley on GDPR fines
Award-winning blogger will talk channel partners through how to position their security offering in the age of huge fines at CRN's Channel Conference MSP
Many businesses could see their reputations left in tatters if they fail to shore up their defences and are hit with crippling GDPR fines, according to cybersecurity expert Graham Cluley.
Cluley will be sharing his insights at CRN's Channel Conference MSP in London on 2 October, and offering a behind-the-scenes look at some of the highest-profile hacks of recent years.
Resellers and MSPs can register to attend the event free of charge here.
Speaking to CRN ahead of the event, Cluley, host of the hit podcast Smashing Security, said it is essential that the narrative of large-scale data breaches is changed.
"The press will write about the statement from the company, and they will write about the number of records that were breached, and whether it was credit card details, but what often doesn't get covered - because it may take months until it comes out - is how it actually happened," he explained.
"If we don't learn how a hack was pulled off, how a heist was committed, we're really missing a trick.
"If we don't learn the methods the hackers use, and understand the failings that happen inside our organisation, then we are really up against it in trying to protect against these sort of things."
Cluley said that a lot of media coverage around large-scale hacks tends to focus on the "outlandish" attacks, which can often only be carried out by state-sponsored criminals.
Cluley said that not many companies are likely to be targeted by governments, and so more attention needs to be paid to the more rudimentary attacks which, while not necessarily spectacular, can siphon off large sums of money and cripple a business.
"You don't need to be an expert in writing malware to steal millions from a company," he said.
"There are frauds you can commit as a cybercriminal that don't need much more know-how than the typical email from Nigeria that we have all received.
"Anyone who can write those emails could be putting those skills into scams which we have seen steal millions. You just need a bit of brass."
The void between the media coverage and how a hack actually occurred creates an opportunity for the channel, Cluley explained.
But he said salespeople are too often drawn into the technicalities of a cybersecurity offering.
"It's very easy to get bogged down in feature sets and bullet points which, even if you work in this industry, can be yawn inducing," he said. "It becomes techies talking to techies and we need to break out of that because we don't really need to know what is under the hood.
"We are forgetting that we actually need to communicate on a human level. What people love more than anything is to hear stories. That has worked for thousands of years and people learn from them.
"Rather than giving people fact sheets, go and talk to them about the stories of real-life companies that have been hacked. They'll think ‘that could have happened to us'. It will capture their imagination and if you're talking to an IT person they will go to their senior management and tell the stories. Everyone can relate to that."
Cluley said that by telling stories in this manner, you could encourage every employee in an organisation to act as a guardian for the devices they use.
Delegates at Channel Conference MSP can also expect to hear tales of some of the more quirky hacks that Cluley has witnessed.
"One of the things I hope to do in the presentation is explain some unusual attacks as well as the common ones," he said. "I've got some fun stories that are a little bit out of the ordinary, which I think will open people's eyes to just how imaginative the hackers can be."
Everything is fine
GDPR's introduction upped the stakes last year, with businesses now facing the prospect of huge fines if they are found to have jeopardised personal data.
British Airways was hit with a record £183m last month after reporting a breach, while hotel chain Marriott was slapped with a near-£100m sanction.
Cluley said that these penalties should be sounding alarms in the ears of bosses who until now have not taken the risks to their businesses seriously - creating an opportunity for the channel.
"I'm not expecting everyone to have more mega fines, but there are more teeth now than ever before and companies need to recognise that there's a huge amount of harm that can happen if their customer data or intellectual property leaks out," he said. "The repercussions are very real.
"I think that is certainly raising the hairs on CEOs' necks and driving home the risks they are taking if they don't have the proper protection in place. It is clear that these fines can be really substantial and have a long-lasting impact.
"But I think companies need to consider what impact these fines can have on their brand. You spend decades building up your company's brand so you are trusted; it only requires some silly mistakes and it can all be lost. You can spend a lifetime trying to rebuild it.
"Some will have the luxury of having the ability to rebuild it, but there will be other companies that are put out of business because of these fines and the damage to the brand."
As well as talking the audience through some of the most costly attacks, Cluley will also discuss "rogue employees", claiming "the thing that should be keeping people awake at night is the people they let in through the door".
Graham Cluley will speak at the CRN Channel Conference MSP in London on 2 October, alongside a host of great speakers. MSPs can register to attend, free of charge, here.