Much finger pointing and head scratching has been done over the last week, following the TalkTalk hack. The broadband provider suffered a data breach which resulted in customer data being stolen – that’s the ‘normal’ part, where the finger pointing takes place. The head scratching occurred because it’s the third breach it has announced in the space of 12 months: in December 2014, its customers were the victims of scam calls following a data breach, and they then became victims of the 2015 Carphone Warehouse hack because the hacked division also provided services for TalkTalk. As the old saying goes:
Hack me once, shame on you. Hack me twice, shame on me. Hack me a third time, someone is likely to get fired and my quarterly profits are going to take a hit.
There is a hint of arrogance (or incompetence?) when a company, having been clearly shown that its security measures are not sufficient, does not act immediately and significantly. TalkTalk has now hired heavyweight defence system contractor, BAE Systems, to handle its cyber security, but its reputation is already damaged. One suspects that if it had made the appointment right after the first breach, the public would be more forgiving as it would have been an admission of the seriousness of the situation. Instead, the TalkTalk security team has potentially been embarrassed by a 15-year-old from Northern Ireland and a 16-year-old from England.
Corporate cyber security failing can be attributed to three components, which together shape the worrying landscape we see today: Consumers continue to trust companies with their personal information, companies continue to underestimate hackers (15! Those GCSE IT classes have really upped their game) and hackers continue to outsmart large companies – Experian, Home Depot, JP Morgan Chase, AshleyMadison.com, Ebay, British Airways and many more have recently suffered massive data breaches as a result of hacker activity. These behemoth data carriers suffer from a lack of infrastructure agility when dealing with new cyber threats, which means that in the time it takes for them to adapt to a new threat, five more have appeared (for a fantastic visualisation of the world’s biggest data breaches, check out Information Is Beautiful).
The increased regularity of hacking media coverage has prompted a shift in mentality for security professionals – many now prepare for the day that they will be hacked rather than relying on technology to keep them secure all the time. Here are some of the ways you can prepare your company for a cyber attack:
1. Accept that your company is likely to be attacked in ways that you have not accounted for. This means accepting that you are not defending a castle with few entry points; you are defending a full on, Where’s Wally-style fortress invasion, where even the inhabitants regularly do things that allow attackers in.
2. Educate your inhabitants. Companies need to promote a culture where employees take the responsibility of looking after people’s personal data seriously. This includes reminding them about how actions in their personal lives can affect the company – as a society, we know and are connected to more people than ever before which by association means companies have more defensive weak points than before.
3. Embrace the never-ending project. Stop putting off those security upgrades in favour of commercial gain – what you spend now, you’ll save down the line in brand reputation and more. As hackers use new techniques all the time, you’ll need to update your systems regularly too.
4. Adopt best practice, not just laws. TalkTalk’s CEO has said the company didn’t encrypt all its customer data because it wasn’t legally obliged to and while that may be true, data encryption is widely regarded as best practice. Waiting for legislature to kick in before acting can leave you at high risk in the digital world. At the very least, any company not encrypting customer data would need to show that they have fulfilled legal obligations to protect data through other measures.
5. Have a response plan in place. The worst has happened: you’ve been hacked and it has reached media ears. Your response should include appropriate media measures, an authoritative spokesperson, customer prioritisation, and of course sealing the breach point. In your customer notification/safeguarding, you should also be aware of opportunists (other than the original hackers) who take advantage of announced data breaches to further dupe people into unwise actions.
The above suggestions will show your stakeholders that your operation did everything it reasonably could to safeguard information. If you are the target of a successful cyber attack, that intent will go a long way to repairing any damage done to the trusting relationship your brand has built up with its customers.
By Alex Harvey
Ask me anything: @alextharv