The Troubling Tale of TalkTalk and Others


The list of companies suffering from computer hacks grows even longer. Changes need to be made

When questioning what a company’s most valuable asset is many would suggest its employees, or the products, or perhaps the properties it owns or the factories. However, realistically for many, the most valuable asset is their data. With this considered, how many take that seriously enough to ensure robust cyber security measures are in place to protect against cyber threats directly harming this data? Over the past few years numerous cyber attack on various corporations, ranging from Sony to Target, have shown the increasing importance of keeping data safe. It is evident that many firms take it for granted that a single cyber threat can be a significant disruption to their business. They may often undermine the potential of black hat hackers and the consequences of computer viruses and malicious software penetrating their systems and networks. TalkTalk has been the latest victim to join the long list of companies which have suffered from cyber attacks, and it is possible that even more are yet to admit that they have. This presents a host of new challenges and approaches by firms in terms of how they collect and protect data. In the TalkTalk saga, the British telecommunications company will have to cough up around £35 million as a result of the cyber calamity, and the will attempt to soften the blow for consumers by offering free upgrades..The events which have taken place has been a reflection of the numerous companies which have unnecessarily suffered from cyber attacks, resulting in troubling inconveniences for consumers, resulting partly from poor planning, preparation and proper procedures.

Although even with this latest edition, it is not entirely the fault of the companies themselves, but the laws which govern them could also be to blame. Cyber breach laws, including notification requirements, encryption standards and sufficient compensation requisites, are being questioned and criticised in a debate considering whether UK laws go far enough to deal with theses types of situations. If the laws in place had been enough, perhaps, it could be argued, breaches of this magnitude may not occur or at least occur less frequently. Overall the legal systems in place, which consequently result in companies taking a less serious approach to their information security (until of course they have actually suffered a hack) creates an environment in which malicious hackers can easily take advantage of the intriguing vulnerabilities carelessly exposed. Thus, laws need to be adapted for the better, and need to be able encourage and establish greater cyber security amongst companies holding masses of consumer data, and ensure that those consumers who may suffer as a result of a cyber attack, are amply catered and compensated for.

To begin with though, a good place to start, for the private sector, would be to identify what data it has. Analysing the risks of possible data breaches cannot be effective without solid knowledge of the data being dealt with. Not only this but those who are dealing with the data also need to be considered. The biggest weakness with any security system is the human being; perfectly prone to making mistakes and misjudgements. Thus it is critical that there is thorough thought put into the processes of recognising exactly what data is at stake and who is dealing with it. Being able to take these initial steps provide the foundations for a substantial and well constructed system to cope with the increasing possibilities of cyber attacks.

A sensible next step should be to establish a dedicated team dealing specifically with cyber breaches. Although this team, which could be labelled as a cyber incident response team or any other similar label, should be more than just consisting of IT security experts. Cyber attacks on firms which expose masses of precious consumer data, requires not just those who can help to deal with the computer-related complications and get systems back to working order, but it is also extremely critical to have personnel dealing with HR, public relations, as well as legal and privacy experts involved in this task force to cope with the enormity of the exploitation of some 1’s and 0’s.

Additionally it may even be necessary to have third parties involved, but ultimately having such a team not only in place, but being ready and informed for when such events occur (while, of course, recognising that anybody could be subject to cyber attack and therefore acknowledging that it is imperative to take cyber security seriously) can dramatically ease the initial harshness of the attack.

While attempts are being made to neutralise an attack, if of course a cyber threat manages to ensue despite the safeguards being in place, it is imperative that the company in question promptly notifies its customers, and indeed the general public, of the attack that has taken place. This has been improved upon by the TalkTalk from a year earlier when it suffered from a previous cyber attack in November 2014, which was not made known until the new year in February. In that time hackers managed to swipe numerous account details, sucking out £5000 from each customer exposed. This can diminish the reputation of businesses, and erodes the trust of not only its once loyal customers, but those involved in the company itself. The decline of the company’s performance in the stock market as a result of the latest attack represents the seriousness of not just the cyber attack itself, but the consequence of failing to inform the public that such an event has taken place. It’s the decency of letting those who are the real victims of an attack know that their data has been compromised that will do a better job of softening the blow to public perception, as opposed to financial compromises.

It cannot be avoided that businesses should also commit actually implementing sufficient security measures to properly protect peoples data. Tokenising stored payment cards has proven to be inadequate; more robust security is needed. Simply storing bank account details in plaintext makes it frighteningly straightforward for hackers to utilise for fraud and other malicious activity. It is very vital that firms like TalkTalk which store such data of its consumers do so with the use of encryption for all information. Encrypting some data and not others is clumsy and torpid, and reflects the ignorance of some companies when it comes to cyber security. However, in all fairness to the company, the CEO was correct to point out that these poor attempts to protect data stems from “no legal obligation to do so”.

So as well as the private sector doing its part, it is equally as important that the government also puts in place the necessary laws and regulations to encourage good practices and better prevent cyber attacks and there devastating impacts. It is also the fault of weak laws in this area which have contributed to the worrying impacts of cyber attacks. Currently, UK laws require companies to implement measures to protect data, but do not specifically ensure that encryption is employed to protect personal data properly. The latest attack was deployed with an SQL injection attack (which stands for Structured Query Language, a code injection technique which essentially spits out the contents of a database to the attacker) which are actually quite simple to avoid. Prepared statements, or parametrised queries, for example, would give databases the capability to determine which inputs are code and which are data. This prevents hackers being able to use simple commands to obtain information from databases. SQL injections are avoidable, but with no forceful incentive being provided by strict and clear laws and regulation, the benightedness of some businesses when it comes to cyber security prevails, resulting in fairly preventable attacks with potentially adverse consequences. The hardening of such laws can lead to more efficient and robust practices which can protect against cyber.

In addition to this, it could argued that the UK Information Commissioner’s Office, which is a department responsible for the enforcement of data privacy laws, needs more bite. Its ability to fine companies for inadequate data protection measures does not exactly deter firms from poor cyber security protection. It uses its powers sparingly, and instead should focus on using its powers to very firmly indicate to businesses that security insufficiencies will not be tolerated. This is what it will take to ensure that databases are secured with the best technologies possible and at least better incentivise firms to make an effort to protect peoples data. This is especially crucial while identify theft and fraud has been on the rise on the internet, and so the need for a serious approach to security becomes, undoubtedly, more worthy of attention.

Security has not always been a top priority with technology, but the need for it now is more pivotal, especially now with the dangers of the internet, and the unprecedented powers it can give unsuspecting criminals. Significant cultural changes within businesses and stronger laws enforced by governments can help ease the pain. It may be a late realisation to the dangers, but its better to be late then to do nothing at all. Change must happen.