Companies at all levels face being the victims of cyber-crime, with the social online activities of staff and outsourcing being major areas of vulnerability. The New Economy speaks to Dave King, an online reputation management expert, about what action firms need to take.

The New Economy: Dave, let’s look at the example of Wal-Mart. Of course they’ve got a limitless pool of resources, but Wal-Mart has been victimised by cyber-crime. Tell me, how do you protect a company when you’ve got resources like that, but, clearly money is not the solution.

Dave King: You’re absolutely right: businesses are spending a fortune on combatting the obvious cyber-threat. And yet, perpetrators who come in using social engineering, or come from outside that ringed wall, if you like, can still pose a very credible threat.

Companies don’t necessarily understand that 84 percent of cyber threats today start with social engineering. And regardless of the amount you’ve invested in protecting your network, if I’m clever from the outside looking in, and I can use your employees or your third-party suppliers and the data they have out there, I can probably find a route in.

84 percent of cyber threats today start with social engineering

The New Economy: So you’re saying that human vulnerability starts from the top and trickles all the way down – but what I really want to understand is how an employee poses a risk to their own company through these various social media platforms that exist.

Dave King: Actually, most of the time we’re not talking about employees who have deliberately put their company at risk. In fact, what we’re talking about is, as you know, we all create an increasing online trail of information these days. And that information might include my interests, my likes, my travel arrangements. It might include other, more sensitive data. And what cyber attackers – certainly dedicated, bespoke attackers – are getting better and better at, is mining that information.

Now I might mine it for you specifically, but I’ll probably mine it for all of the people in the organisation to start to understand where the weaknesses are; where the vulnerabilities are. And that might include me posing as somebody else online to gain more information, and exploiting that vulnerability.

So often the employee or the third-party supplier is completely unaware – a, of the vulnerability, and b, of the attempt made by an outsider to exploit that vulnerability – until it’s too late.

The New Economy: Companies are going to be confronted by this issue at all levels. It doesn’t matter how large or small, because people are going to outsource various aspects of their work, and when that happens, as you said, there’s going to be a vulnerability created.

Tomorrow, if you were going to advise a mid-tier company, pulling in $500,000 to $1m – still a very small company – how would they then protect themselves? They may not necessarily have the resources of, for example, Target, to go out and get a whole flank of people.

Dave King: Well that’s absolutely right, and I think ultimately it boils down to prioritisation. And I go back to that analogy that I always describe, which is protecting your house from crime. You ponder what the threat is: what area do you live in, and so on and so forth, and you react accordingly. And I think the same is true for a small or mid-sized business.

And those small and mid-sized businesses might not be holding consumer data, for example. The danger is today, they possibly think they’re not susceptible to cyber-threat. They may well be. And that cyber-threat may come from abroad. It may come from state-sponsored or other corporate espionage.

And I think the challenge for boards has to be a, understanding some of this area; but b, working out where are our crown jewels? So as an organisation, what is it that we have, that is most valuable to an attacker? Whether that attacker be state-sponsored, or a hacktivist, or a schoolboy in his bedroom who wants to create mischief.

[w]e should be thinking about what is it we’re trying to protect, and whom does that need to include from around the table?

And it might be that it includes reinforcing our network. But first and foremost we should be thinking about what is it we’re trying to protect, and whom does that need to include from around the table?

The New Economy: Okay, now we have FTSE companies that are ponying up to that sort of advice, and realising that they need to be cyber-crime specialists at the executive level, bringing in this information. Is that a reassuring sign, for you?

Dave King: I think it’s a very reassuring sign, but I think it’s the minority, not the majority. It’s probably those businesses that are most analogous to the businesses where we’ve seen the biggest purported attacks.

So, retailers are waking up to – let’s not forget that a business like Target, which was attacked in the US – had made massive investment into cyber. It might be argued that they missed out a piece of the puzzle. But it’s very reassuring to see FTSE firms waking up to the threat. I think it’s important that that’s more widely applied.

The New Economy: Sobering advice there, thank you so much Dave.

Dave King: Thank you.