At the time of writing this, the news about Talk Talk’s breach is all over the news. It broke last night (22nd October) at around 10pm and was clearly serious for it to be “breaking news” on the BBC app. fast forward 12 hours and it is all over the BBC – including the CEO getting grilled on Radio 4.
Like others, I have a little insight into the background and whilst I’ll not comment further, it is fair to say it could have been avoided. The immediate question will be around the security team, however it would be completely unfair to point at the CISO and the team – and more about why the board didn’t take the risks seriously that will invariably have been highlighted before. In fact, whilst it is commendable that the CEO has spoken and warned their customers, the fact that she could not/would not confirm whether the data was encrypted (clearly it wasn’t!) is not going to help their image. The damage to their reputation will be huge.
When I was actively working within the Infosec world, I used to use an analogy to describe the attitude to Infosec from some organisations – its like selling car insurance to young drivers. When you passed you test and got your first car, chances are you were given sage advice by parents to buy something sensible and insure it Fully Comprehensive to cover all risks. Of course, if you were like me you will have ignored the advice and chose to spend the savings made by going Third Party Fire and Theft on the “important stuff” – like car stereo, noisy exhausts, go faster stripes, etc.
You probably then proceeded to bomb around and one day the inevitable happens – you have a crash, car is damaged (maybe wrecked) and you are left with a pile of mess on your parents drive and staring in the face of a big repair bill, because you weren’t “Fully comp”. All of a sudden you realised that it wasn’t that expensive after all…….
There will invariably be lots of conjecture, analysis, and of course legions of my former peers and their employers espousing the importance of good controls (and of course, how they could have prevented this from happening). Just like the young person with the wrecked car, Talk Talk will have to spend much more to try and fix the problem – and they’ll probably do it through gritted teeth – which means that they might still “go cheap” to limit the cost.
The most important thing here is the customer’s data – and the real focus should be to help them protect themselves from the inevitable risks in terms of their banking information and the wider ramifications of their data being “out there”
Like many, I had predicted some time ago that there would be a big one and that I hoped it might just make organisations start taking this seriously – not just in word, but in deed. So, to all of those organisations that have had a “Third Party Fire and Theft” attitude to their security posture, the message is clear. Time to go “Fully Comp”!!