"Cyber security will be one of the biggest challenges facing the next President." – Hillary Clinton
"As far as the cyber, I agree to parts of what Secretary Clinton said… we have to get very, very tough on cyber warfare. It is a huge problem." - Donald Trump
First Presidential Debate, 26 September 2016
Clinton and Trump disagree on pretty much everything but even they agree that cyber security is now an issue so important that it needs to be directly addressed by the President of the United States. This is a message that should be heeded by everyone: cyber security needs to be led from the top.
Last October a cyber-attack at TalkTalk led to the data of 150,000 customers being stolen, including details of 15,000 bank accounts. This week, the Information Commissioner's Office laid the blame for incident at TalkTalk's door, hitting it with a record £400,000 fine.
The technical reason for the hack was a failure to patch vulnerabilities in certain webpages and at face value this would appear to be an IT problem. This however only tells half the story. The investigation by the ICO points the finger at a lack of information governance throughout the organisation.
So what can others learn from TalkTalk's experience? How can you reduce the financial and reputational risk to your business?
The hacker stole TalkTalk's customer information through a known vulnerability in one of its webpages. Using a well-known technique, called SQL injection, the hacker was able to access a customer database that sat behind the webpage.
Not only was this a known weakness, but a software patch was available to fix it and TalkTalk had already been attacked twice before in 2015. Furthermore, the ICO found that TalkTalk had the financial and staffing resources to remedy the weakness in its systems.
The comment from Elizabeth Denham, the Information Commissioner, is telling:
"TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease."
Better information governance
Even from the outside looking in, one can see a number of places where better information governance may have prevented this incident:
- Due diligence - The vulnerable webserver was acquired by TalkTalk from Tiscali in 2009 but TalkTalk was not aware that the server was still active. With hindsight, better due diligence at the time of the acquisition might have caught this. In the current climate, this due diligence is now critical as "acquired" information security risks are an increasingly common attack vector for hackers.
- Data asset register - A reliable register of data assets might have revealed the existence of the unprotected database. Rule No. 1: if you don't know what data you have, you can't protect it.
- Retention policies - The ICO found that there had been a breach of the Fifth Data Protection Principle meaning that TalkTalk was holding customer information that it no longer needed. A proper system of purging old data could have meant there was nothing to steal.
- Information security auditing - TalkTalk had the vulnerable customer database for 6 years without realising that it was still connected to the internet. More systematic auditing might have stopped this vulnerability going unspotted.
The ICO has made clear that the TalkTalk incident was not a one-off event or attributable to human error. From this, one can divine that it was the absence of proper information governance policies that was at the heart of the problems and also behind the ICO's rationale in issuing its highest ever fine.
The one bit of fortune for TalkTalk was that this happened before the new General Data Protection Regulation comes into force. With the new regime having fines of up to 4% of group turnover, any similar breach occurring after May 2018 could cripple a business that has not learned the lessons from TalkTalk.