So, how do you view the performance of Dido Harding, CEO of TalkTalk, when news broke in October 2015 of what appeared to be a significant breach of its cyber-security? One point of view is that she presented a business determined to get on the front foot in the face of a hack which stole customer data, demonstrating that the brand was aware of customer concerns and working to resolve them. Another was that she appeared unprepared and lacked knowledge of the scale of the theft or how it was done, suggesting a business with only limited cyber-security resources.
Parliament’s Culture, Media and Sport Committee interviewed Harding, as well as the Information Commissioner and a range of other expects, as part of its investigation into the issue. The report it has just published makes for interesting reading, not just for the recommendations it contains, but also for the background it reveals on TalkTalk’s experiences (noting also that the company has still not published its own PWC-authored report into the incident).
For one thing, it emerged that TalkTalk had notified the ICO of 14 data breaches in the previous two years, but was not on a “watch list”. For another, Harding told the committee that she saw herself as accountable and responsible for cyber-security, but there was no response plan in place for the type of incident which occurred. While TalkTalk took a number of steps to protect customers, including setting up monitoring of bank accounts against fraud, it took two weeks to identify the exact scale of the theft and therefore how many of those customers were exposed.
As a result of these findings, the committee has made some proposals which every business holding personal informaton should consider seriously:
Just as Harding did, the committee argues that top-down response is appropriate. However, they note that it is unrealistic to expect CEOs to manage cyber-security day-to-day. Instead, this should be handled by chief information security officers (although their report does not use the term CISO) “who can be fully sanctioned” if sufficient steps are not taken. In addition to what might look like a hospital pass, it is also suggested that a portion of CEO compensation should be linked to cyber-security.
The committee is scathing about the idea any online business should continue to be vulnerable to malicious SQL injections, which remain the most common type of attack. They also call for better training of developers in cyber-security and that “security by design” should become a core principle of any system or app development.
But companies also need to have incident management plans in place which get rehearsed. That should help to avoid the situation I was told about in one major business where a C-level executive had been given the role of post-attack response management, but no media training. When it came to the crunch, the individual froze and was incable of handling interviews.
Where consumers have suffered from a data breach, they should be able to claim compensation, according to the committee. This could happen through the small claims courts, but might get rolled up into a class action which is now possible under UK law. Compensation risks could prove even more of an incentive to improve cyber-security than the higher fines (and threat of jail) proposed in the report.
There is a clear call for companies to improve their cyber-security standards, including ensuring third-party suppliers are chosen who have Cyber Essentials certification. But the report also suggests that this itself needs updating to reflect the changing nature of attacks and also the need for incident management planning.
There is a lot of noise in the market around cyber-security and almost daily news about hacks and data breaches. As a result, many companies may have become deaf to the underlying message. If you want to be more Dido - responding quickly, even if with limited information, and getting on the right side of regulators as well as companies - you need better tools, a clear plan and practice. Otherwise, when the inevitable attack occurs which does breach your data security, you may end up more like the dodo.