TalkTalk saga: lessons and thoughts
Stuart Hyde QPM, Member Europol Internet Security Advisory Board, Director Stuart Hyde Associates Ltd
on 28 Oct, 2015
Last weekend, the telecoms giant TalkTalk faced a huge crisis having been hacked by person or people unknown. News of the attack broke swiftly and was followed by a tsunami of interest and concern across social media.
At the front of the messaging for the company was Baroness Dido Harding, who has since become a household name. She had to manage the fallout of potentially four million victims of data breaches. The saga has highlighted both the need for security and the necessity of vigilance.
The attack itself has resulted in the arrest of an individual, so I will refrain from anything that may risk prejudice to any legal processes. However, there are however important issues arising from the case that could, and should, be on the agenda of all heads of organisations, ceos, directors, presidents, head teachers, chief constables and many more.
No one can assume to be 100% secure online. Even venturing an opinion these days can attract a type of opposition that can be ruthless, creative and even abusive in response whether the author be politician, celebrity or just a normal member of the public. Here are some issues that I think are worthy of consideration even at this early stage as the case unfolds:
1. It was very clear right at the beginning that the media demanded a spokesperson with clout. This ended up being the CEO Baroness Harding. Well experienced in media issues, she presented an open and doggedly persistent view that the company was doing all it could to sort the matter out. Many interviews highlighted her ‘grip’. The issue here, however, is that if you are a head of an organisation, whether public, private or third sector, anticipate that you will be, literally, in the firing line in the event of a breach.
2. The inevitable consequence of data security is that it starts at the top and can’t be devolved to the IT Department any more than your strategy can be devolved to a PR company. As a leader within the business you need to understand, for example, the options for your firewall (it is actually quite interesting) you need to know the strengths and weaknesses of your technical people. A disenchanted junior IT operative could cause immense damage when they leave. Do you know and understand the authentication policy, what are your rules for Bring Your Own Devices, what about the mix of work and social media and do these reflect the ethos of your organisation?
3. A saying I picked up that has become a good mantra is ‘The quickest way to lose your business is lose your data’. Having an effective sales team, an efficient call centre or an effective product cycle can all be destroyed when facing a loss or breach of data. Product and company confidence diminishes, publicity is negative and in all likely events, your value will plummet. The energy used scraping the additional 0.5% sales target could be better spent checking out your firewall and IT strategy.
4. When you have been attacked and there is the threat of data loss, deal with it and deal with it fast and effectively. This might include setting up advice lines, media marketing and particularly look at your social media. You will not be able to keep it a secret in this day and age. Better that you are talking to customers and commentators directly than they are talking about you and your company without you. The social media requirement will be immense, but by being open a real sense of engagement offers the opportunity to address incorrect criticism and helps you build back your brand.
5. Your customers want to know what is available to them for help within the company. Providing free customer support is necessary but not the only thing you can do. Show your willingness to reach out to others who can help. For example link to sites like Get Safe Online or other advisory sites, make sure that banks are aware and can quickly share information about the attack with what might be an avalanche of concerns callers. The attack may be part of a wider one, could be a lone wolf or could be a major international attack. Either way reach out to organisations that can offer advice and guidance whether public or private.
6. Sometimes in an attack you will need to build an evidence case and demonstrate either to your insurers or the police what has happened. Recording and logging events is crucial to securing prosecutions and in preventing further attacks. You will face criticism from regulators if you haven’t managed this part properly. The best evidence should meet high standards particularly if you are going to rely on it at any court. Using a firm with ISO 17025 such as CCL Forensics could help.
7. Throughout the attack, and after, make sure that you have built up a rapport with law enforcement, keep it polite and effective, you may not always agree but politeness costs nothing. Have you signed up to one of the Cyber-Security Information Sharing Partnerships.
These cover most regions and give you the best access to those who can help you. Keep everyone updated and work closely with the Police and Law Enforcement. Action Fraud is well worth connecting with as they are likely to receive complaints if the data leads to a subsequent social engineering attack hereby people are manipulated to give up confidential information.
8. During the event and after, retain all information about the attack, including records of the decisions you made and the reasons for those decisions. Regulators will want to understand exactly what happened and whether you have met statutory requirements. Have someone log everything including your decision notes and where appropriate take screen shots. If it isn’t written down it didn’t happen.
9. It is not difficult to imagine an attack on your premises; you build in alarms and access control, equally you may run a fire alarm test probably weekly and you might have a full fire drill every month. So do the same with your data security, many organisations have exercise plans to help you. You can use specialist exercising such as Cybx through the Cabinet Office-owned Emergency Planning College to see how your company can cope with a real attack in a virtual scenario exercise. Setting aside just a few minutes a week discussing what you would do, who can help and building an action plan would be time well spent.
10. Finally, the media onslaught could be massive and uncontrolled. Being alert to media and especially social media can help you to appreciate what people are saying or asking. Many highly successful businesses and organisations reply directly to criticism on social media. Taking that personal engagement can help rebuild your reputation quickly.
Some final questions
- Are you a member of your regional CISP?
- Have you linked to Get Safe Online and Action Fraud?
- Do you test yourselves on a potential breach?
- Do you understand the principles behind your own data security?
- Are you ready to act publicly to inform and defend your organisation and yourself?