As the fifth person is arrested for alleged involvement in the TalkTalk hacks we look at what lessons can be learnt from the embarrassing episode. Some are obvious – don’t get hacked and if you do get hacked then tell the truth about it.
The company failed to be straight from the start which made the public relations fall-out all the worse.
TalkTalk shares are down by more than 30 per cent and it has set aside at least £35m to pay for the damage done. Customers will be getting some sort of upgrade to try and win back goodwill but other costs include depressed sales and spending on extra security in the wake of the attack.
Of course TalkTalk are just the latest in a long line of UK firms which have suffered big data losses. And they’re not likely to be the last.
But what is different this time is that the damage has been so widespread that the way companies are talking about security is changing. The reason business attitudes are changing is because public attitudes have changed.
People are far more sensitive to how companies treat their data which is making business take the issue more seriously.
Talking to a leading security vendor recently we were told: “TalkTalk has changed everything. Security purchases used to be just a box-ticking excercise – someting you had to have – but now companies are looking in detail at what the software can do and what protection it offers.”
Getting the right software in place is vital of course.
You need an excellent security team in place to ensure software is up-to-date and you have a regularly checked security strategy in place.
But this fire fighting force is just part of the solution – equally important is company culture. Your staff, from top to bottom, need to be making IT security a central issue in everything they do.
The TalkTalk attack started with a denial of service attack on its website – but this was likely a smokescreen for the attack which went after customer data.
This might have used a phishing attack – an email targeted at an individual, or small group, of staff.
Such attacks are increasingly sophisticated – it could look like a mail from a senior manager, it might sound like the sort of message they would send – so finance staff get offered budget spreadsheets and marketing departments get offered presentations to look over.
Different staff, with different access to company systems, need different security training.
People with mobile access to corporate networks need to know how to keep Wi-Fi access safe for instance.
You need to make sure laptops and mobile phones are password protected or a lost device could give easy access to your systems. You’ll also need sofware in place to make it easy to remotely wipe data from devices which are lost or stolen.
Anyone dealing with sensitive data needs to know about encryption. The Information Commisioner’s Office has fined companies for not encrypting customer data even when they’ve taken other measures, like password protection, to keep it safe.
None of this will stop you being attacked.
But the best software protection and a corporate culture which puts security in the front and centre of all decision making should mean you’re in a good position to defend yourself .