What Can Small Businesses Learn From The Cyber Attacks on Pokemon Go?
The recent hacking of Pokemon Go has proved that no one is fully safe from cyber crime. So what should businesses do in a similar situation?
If you’re one of the millions of Pokemon Go ‘trainers’ that has nurtured a daily gaming habit over the last couple of weeks, then you’ll be well aware that the app has already suffered two high-profile server outages as a result of cyber attacks.
And if you haven’t been sucked into the hugely addictive Pokemon craze just yet, it’s highly likely you’ll have heard about the problems anyway – or at least wondered why your friends were suddenly being so unsociable over the weekend!
In any case, here’s a re-cap. Hacking group Poodlecorp took down Pokemon Go on Saturday in what is known as a DDoS (Distributed Denial of Service) attack, whereby the hackers flooded their servers with so many requests that they shut down. The result – no Pokemon for most of Saturday, and lots of disappointed Pokemon fans.
But that wasn’t the end of it. Just as the game was getting back up and running, another attack followed on Sunday by a group called OurMine, this time claiming they were actually trying to help the app and its developers to improve security. Either way, frustrated gamers endured more hours with no Pokemon before the problem was rectified.
So, what lessons can we take from these attacks?
While the short-term damage for Pokemon Go is likely to be fairly minimal, for many businesses, attacks like this can lead to a significant loss of revenue, with system downtime leaving them unable to trade. And that’s before you’ve taken into account any reputational damage, with customers potentially avoiding the brand for fear that it’s putting customers’ personal or financial information at risk.
If they haven’t already, Pokemon Go would be wise to firstly, take steps to minimise the risk of these types of attacks in the future, and secondly, make sure it has a plan in place for if and when it does suffer another attack. You only have to look at previous high-profile cases such as TalkTalk and Ashley Madison to understand the long-lasting reputational and financial damage that a serious data breach can cause.
These attacks also remind us once again how easily and effectively hackers and cyber criminals can find and target vulnerable businesses online – even industry leaders and innovators. And it isn’t just large businesses that need to worry either, with studies showing that start-ups and small businesses are equally at risk.
Last year, two-thirds (66%) of small firms were hit by a cyber-attack, according to the Federation of Small Businesses (FSB), with many chosen because they don’t have the funds, time or knowledge to defend themselves. Meanwhile, the majority of businesses still aren’t taking the threat seriously, with another study showing that 77% of organisations are unprepared for an incident.
While IT security should, of course, be central to your strategy, it’s fair to say that even with the best technology and security measures in place, sometimes you’re powerless to stop an attack. Cyber criminals are becoming more sophisticated all the time, so it’s impossible to know what to expect.
This is why it’s crucial for all businesses to have a response plan ready, so you can take control and recover from an attack quickly and effectively, with minimum impact to your business and its customers.
What should a response plan include?
- Investigating the attack – What caused the breach, which data has been accessed and how can you ensure it doesn’t happen again? As a small business, it is unlikely you’ll have the expertise internally to do this, so have IT forensics experts on hand for if and when you need them.
- Your legal response – depending on the nature of the attack, you could have legal issues to consider, so a good lawyer is essential. If customer data is involved, you may need to inform the Information Commissioners Office (ICO) and/or defend your business against claims of negligence. Alternatively, if you feel you’ve been let down by your external IT provider, you could be the one taking legal action.
- Media relations – cyber attacks are big news and you may be on the receiving end of negative publicity if you don’t handle the media correctly. External PR support can help ensure you manage your messaging and have professional statements ready if you do attract any press attention.
- Customer communications – it’s important to keep your customers informed of what’s going on, so they know if they are affected and to allay any fears or concerns. As a small business, this communication should be as personal as possible, incorporating telephone calls, emails as well as online and social media. Your lawyer will be able to advise on what you should and shouldn’t be saying.
- Cyber cover – cyber attacks can be expensive, with legal, PR and compensation costs to consider, not to mention the financial loss caused by system downtime. To ensure your business isn’t crippled as a result, a watertight and specialist cyber insurance policy will be there to pick up the bill. But bear in mind that policies can vary significantly, so be sure to seek specialist advice on your needs.
Ben Rose is insurance director and co-founder at Digital Risks