Today in her InfoSecurity 2018 keynote, the ‘View from the Board: A CEO’s Perspective on Cybersecurity’, Baroness Dido Harding laid out her key learnings from the infamous 2015 TalkTalk data breach, which cost the telecommunications provider £400,000. Whilst some people may be loath to take lessons from Baroness Harding due to the controversy surrounding the breach, it is clear that she has thought deeply about what happened and about how to prevent similar breaches in the future.
Before the TalkTalk data breach happened the company was a fairly young, immature business, says Baroness Harding, having grown through the rapid acquisition of other providers such as Tiscali, Blinkbox and Tesco’s internet business. Yet key cybersecurity steps had been taken – due diligence had been done in 2010 and a ten step cybersecurity procedure was in place.
However, something key had been missed by the board, the C-Suite and those doing due diligence – a vulnerability in the TalkTalk website caused by the continued use of multiple legacy systems that had built up over the years of acquisitions. This, combined with a general failure from the top to listen to cybersecurity and IT professionals, and to ask them the right questions, effectively doomed TalkTalk.
The first big teaching that can be drawn from this, says Baroness Harding, is the need for the board to ask IT and Security teams the right questions. Is the cybersecurity plan good enough? Are systems physically okay? What is causing you concern regarding network security? Without the board asking these questions and advocating for responsibility from the top, organisations will not be able to effectively mitigate risk.
The second big lesson that from the TalkTalk data breach was that cybersecurity is definitely a board responsibility. Throughout the attack Baroness Harding was effectively out on the frontline wielding the responsibility for crisis management and decision making. According to the Baroness, deciding when it was safe to bring TalkTalk’s systems back online and resuming sales, services and payments for customers was the hardest decision to make because they were effectively sitting in a honey trap for hackers, and protecting the customer from further attack was her biggest priority. The security department and the IT department argued it was their decision to make as they normally had responsibility for technical decisions. Yet, Baroness Harding argues this ultimately wasn’t their decision as cyberattacks aren’t just technical issues – because they affect business systems and can have a dramatic impact on the experience of customers, these kinds of decisions need to be made by the CEO.
Cyber can be something of a taboo subject at the moment given the emphasis on the continued threat of nation-wide attacks. She told the packed room that those in the industry responsible for building the moral and legal scaffolding for the digital age must not make it so terrifying that people are made to react in the same frightened way that some did towards the industrial revolution. We need to come together and engage as a society, drive innovation and roll out education programmes. The digital world is truly a great thing for society – we just need to look at how we civilise it!
By Geraldine F, live from Infosecurity 2018