Almost 75% of UK consumers say they would reduce or stop using a company’s services in the wake of a major cyber breach, and only 4% claimed a breach would not alter their behaviour at all, according to a report published by communications service provider (CSP) TalkTalk Business.
The study, titled Trust in a connected world, also reveals that 70% would tolerate no more than 24 hours of downtime following a cyber attack, 36% would accept only a few hours of disruption, and 15% wouldn’t even stand for an hour-long outage.
A little over a year on from the infamous Marks & Spencer incident, TalkTalk said that both the growing lack of trust and the shrinking “tolerance window” demonstrated that expectations around cyber resilience are changing rapidly as public-facing organisations become more digitally dependent, and cyber attacks are more widely reported and discussed.
Indeed, 66% of 1,000 members of the public surveyed said reading or watching mainstream news stories about cyber attacks is changing how they interact with organisations online, rising to 83% among 18- to 24-year-olds, demonstrating how the fall-out from cyber attacks spreads beyond those directly affected.
“Our research shows that organisations are increasingly judged less on whether attacks happen, and more on whether services stay available when disruption occurs,” said TalkTalk Business CEO Ruth Kennedy.
“For many organisations, resilience is now a customer trust issue as much as a security issue. If critical services go offline for hours, people increasingly won’t wait around, and younger consumers in particular are much quicker to change behaviour when trust is shaken.
“That’s why resilience can’t sit separately from connectivity and infrastructure anymore. The organisations best prepared for the next wave of cyber disruption will be the ones that can recover quickly and keep services available under pressure,” she said.
Asked what types of organisations they were most worried about in relation to cyber, 30% of respondents pointed first to retailers and 25% to government services. Public concern also extends to CSPs and logistics and delivery companies.
All of these organisations can be termed “high-contact” services – those that consumers interact with frequently, such as M&S or Co-op, and those that have a high public profile and immediately attract attention when services start to become disrupted during an incident.
TalkTalk found that consumer expectations are both consistent and outcome-led. The public expects organisations to have strong protections in place and to clearly communicate breaches, but, at the same time, mainstream technical awareness remains low – barely 30% of people have even heard of a distributed denial of service (DDoS) attack, for example. People just want services to be safe and to work.
In light of this, said the report, cyber resilience should be framed and built in an appropriate context, with outcomes ordinary people are able to feel – meaning service availability and recovery, along with reassurance.
High-contact organisations that want to deliver such outcomes should recognise that it depends on a standard, consistent and centralised approach to cyber resilience.
TalkTalk said this would be the main challenge for the next year – security that holds up operationally, under pressure, across estates, and that inspires tangible confidence among the public.
“The organisations that progress fastest won’t necessarily be the ones adding the most tools. They’ll be the ones that reduce blind spots, tighten consistency across sites and cloud services, and build continuity into the network – because that’s what turns an incident from a prolonged outage into a contained disruption,” concluded the report’s authors.
