18 July 2016

TalkTalk cyber attack: security report

The sustained cyber attack of October 2015, during which the telecommunications and internet provider, TalkTalk, found its customers’ data had been vulnerable to compromise, provided a wake-up call to many consumers as well as businesses, forced to consider how they would react in such circumstances. Not least as it emphasised the lack of awareness of how individuals might go about seeking redress, how businesses might best keep their customers informed during such a crisis and how to handle the potential PR disaster of very frustrated and concerned customers taking to social and traditional media in their numbers.

The recently-published report of the Culture, Media and Sport Committee titled ‘Cyber Security: Protection of Personal Data Online’ gives a starting point for the lessons to be learned by organisations large or small. Evidence submitted to the inquiry by the Federation of Small Businesses (FSB) stated that a third of its members had been the subject of cyber crime. So clearly the issues involved are not just a matter for big business.

At the time, TalkTalk’s decision to go public and notify its customers of the attack within a day of its occurrence, but several days ahead of knowing precisely how many customers were actually affected, seemed to have the potential to simply add to the apparent panic. However, the strong crisis management response, together with the prompt response and leadership of TalkTalk’s CEO in the circumstances was noticeably acknowledged by the Committee as a positive aspect to its handling of a fast-paced situation. One of the report’s conclusions was that the Information Commissioner’s Office should be introducing a scheme of escalating fines to discourage delays in reporting a data breach so the Committee clearly supported TalkTalk’s decision in this regard.

The Committee also acknowledged that TalkTalk had previously run business continuity exercises for risks such as cyber breaches; however what it hadn’t played out in exercises was its reaction to such a large-scale attack. Cyber-vulnerable organisations must plan for such eventualities, including realistic exercises and communications strategies. Indeed, a key outcome of the report is the need to face the fact that cyber attacks must be considered as simply an established part of our global digital economy.

As a result there is a need for all businesses to see cyber security breaches as a risk which isn’t just to be guarded against or which we might seek to prevent, but something which must be prepared for as a probability. Enhancing the topic’s Board impact was another interesting conclusion, with the suggestion that CEO remuneration might be linked in some way to effective cyber security. Whilst the buck may stop with the CEO, someone else in the business must ultimately have responsibility for cyber security and be supported in planning the necessary incident management. Clearly how any such breach is communicated to customers and how their concerns would be handled would need to be the foundation of such planning.

The Committee was keen to emphasise the consumer’s role in these situations, ensuring that public awareness of data security risks is raised and that consumers can be given confidence in the businesses with which they are dealing. The report wanted to see an awareness-raising campaign, particularly around topics such as verification mechanisms, to help consumers understand how to verify the communications they receive are genuinely from the company stated. Again, TalkTalk’s efforts to inform its customers, over the preceding 12 months, how it would know that a TalkTalk agent was calling them, were acknowledged.

The risk of businesses paying lip service to issues of data protection and cyber security also seemed to be uppermost in the Committee’s minds, with a conclusion focused on requiring organisations to demonstrate not just quantity of spend on security, but effective outcomes with annual reporting requirements. Perhaps the sharpest focus was drawn on clarifying a business’ attitude to cyber risks by using a privacy seal scheme under which compliance would be verified using a traffic light scheme. There have, of course, been calls for similar schemes in the past to give consumers a clear understanding of whether the business with which they are dealing has data compliance covered or not, but certainly the suggestion of getting a red marker as a company yet to take the matter seriously sounds like a more serious threat than in the past. Not least, as consumers’ own awareness of the repercussions of cyber breaches increases.

If you’d like some assistance in considering the steps your business should be taking to protect against cyber security risks and to comply with data protection laws, please contact Emma Roe, a partner in our commercial team, on eroe@shulmans.co.uk or 0113 288 2817.