[BreachExchange] Business not taking cyber security seriously enough, says Dido Harding

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 19 15:06:07 EDT 2017


Most businesses are still not taking cyber security seriously enough,
according to the former CEO of TalkTalk, which suffered a major data breach
in 2015

Recounting the cyber attack on TalkTalk on 22 October 2015, former CEO Dido
Harding said it was around lunchtime that she received the email that every
CEO dreads.

“It was an anonymous email addressed to me purporting to be from the hacker
with a link to data, and it was very clear, very quickly that that was
credible,” she told the Security Innovation Network (Sinet) Global
Cybersecurity Innovation Summit in London.

The reason TalkTalk is still thriving, she said, is that in the following
24 hours the business chose to be completely open about what was happening,
which is something few companies do.

TalkTalk knew it had been attacked and that the attackers had accessed
customer data, potentially including bank account details and credit card
details of possibly all of its customers.

“We also knew it was going to take us a while to work out exactly whose
data had been stolen, and our judgement was that our responsibility was to
look after our customers as best that we could,” said Harding.

“Our judgement was that the best way to protect our customers was to tell
them that their data had been stolen,” she said. “The biggest risk, we
concluded, that our customers faced was that they would be scammed. We
argued that we could protect our customers if we warned them.”

Unlike just about every other company in the UK, Harding said TalkTalk
chose to be completely open and honest that it had been attacked and to use
the media to warn customers that their bank account details may have been

“With that came hysteria and panic, which we all learned was not a good
idea, but what also came out of it was that our customers thought that we
had done the right thing. Our customers thought we had done good. In a time
of really difficult trouble, we tried to look after them when other
businesses historically haven’t,” she said.

As a result, Harding said TalkTalk’s brand reputation 18 months later is
stronger than it was before the attack, fewer customers leave TalkTalk, and
the business is in many ways much better than it was before because of what
it learned.

“As it happened, we didn’t have as much data stolen as we thought. In the
end, 157,000 customers’ bank account details were stolen although we warned
4 million. But in doing so, all of our customers thought we had done the
right thing in protecting them.”

We weren’t taking security seriously enough, says Harding

The biggest lesson learned, said Harding, was that TalkTalk and everyone
else is not taking cyber security seriously enough, even though she had
personally worked with GCHQ and reviewed the company’s cyber defence plan
because, as a telco, TalkTalk is part of national infrastructure.

“We thought we were taking it seriously, but of course we weren’t taking it
seriously enough, and no one is. A lot of business leaders are afraid of
it, and want to delegate it down,” she said.

“Most CEOs and most boards tend to ask, ‘Are we safe?’. That is the wrong
question, but the most regularly asked question by boards and CEOs of their
CTOs or CISOs.

“It is a really easy question to answer. No. Whoever you are, you are not
safe. Unless you are choosing not to operate in the digital world at all,
you are taking risk,” she said.

When someone on the TalkTalk board asked that question four months after
the breach, Harding said the CTO replied that the company never would be
completely safe.

“He said, ‘What I will tell you is the risks we are taking, what we are
doing to mitigate them and what risks we are willing to accept to keep

“Business leaders want to abdicate responsibility for cyber security, but
they can’t, and I learned that in the heat of battle,” she said.

Harding said she also learned that non-techies can understand “this stuff”
and that engineers can speak English. “Sometimes you need to push them
quite hard, but they can. The most important thing that we have to change
culturally in business and government is encouraging both tribes to have a
conversation with each other.”

CEOs must understand ‘tipping point’

The hardest decision she had to make as CEO, said Harding, was deciding
when it was safe enough to bring TalkTalk’s systems back up again and allow
customers to use its online systems.

“As it turned out, we were the victims of a blackmail attack from some
teenagers, but we didn’t know that at the time. Once we had all the
publicity, we were the perfect attack target for the really bad guys, so
deciding when to bring our systems back up was the most difficult
decision,” she said.

It is important for the CEO to understand the risk, said Harding, because
there is a tipping point at which the cyber risk is smaller than the risk
of not turning the systems back on again, which is a business decision.

“I needed my technical teams to explain to me in English what the risks
were so I could decide how much business risk I was willing to take before
we brought the systems back up again. For TalkTalk, that has transformed
the quality of our technology conversation as a company,” she said.

The cyber attack, said Harding, has changed the way TalkTalk develops its
products and “massively improved” the integration between the technical
experts and the customer-facing teams because they understand how to talk
to each other in a way that they did not before.

Focus on the basics

The other big learning, said Harding, is that getting the basics right is
really difficult. “I don’t like the term cyber hygiene because it implies
that those who haven’t got their hygiene right are stupid, but it is just
darned hard to do,” she said.

However, Harding said just by focusing on those basics, many companies,
including TalkTalk, could have prevented a cyber attack.

“We were guilty of not knowing our total network footprint. We were
attacked on a website that was no longer being used, hadn’t being used by a
company we had bought 10 years ago, and hadn’t been picked up by any of the
due diligence done.

“Now you can argue that we should have found it, but we hadn’t. On that
website, which was developed more than 10 years ago, there was a SQL
injection vulnerability, which was obvious if you knew it existed – but we
didn’t,” she said.

It is very important for organisations to know their networks, said
Harding, adding that the larger the organisations is, the older the systems
are, and the more acquisitions that have been done, the harder this is to

Since the breach, Harding said TalkTalk’s risk profile has changed
dramatically. “TalkTalk can’t afford to have another cyber attack, so the
company has done huge amounts of training, education, testing and fake
phishing scams.”

Security professionals must “demystify” digital and cyber

Harding, who left the company during the second week of May 2017, said she
is now “quite passionate” about encouraging board members to ask the right
questions about the risks.

“One of the most important questions to ask is where your people are most
vulnerable. Mostly, this is now where business leaders expect,” she said.

“The personal assistants of executives, are in fact, one of the most
vulnerable access points, and yet few organisations recognise them as a
security risk. In a telecoms network, it is not the CTO, but the network
engineers who happily post on LinkedIn what they do,” she said.

Harding said while there is some “amazing technology” that can make the job
of business leaders’ easier to make their businesses safer, but there is a
“hugely important” education role for information security professionals to
demystify “digital” and “cyber”.

“The danger is that leaders in business abdicate responsibility and resort
to tick-box audit checking, and fail to realise that [cyber security] is
one of the single most important things every organisation has to do more
of than they have done before,” she said.

Harding said it was “empowering” to know that the company was doing the
right thing by deciding to be open and honest.

“We endured a month when we couldn’t service customers online and we lost a
lot of customers and it cost us a lot of money – around £80m in total – but
it didn’t bankrupt the company and it taught everyone in the company that,
if you do what is right for your customers, it will work out OK. That has
been a life-affirming experience for all of us,” she said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170519/3e6fc29f/attachment.html>

More information about the BreachExchange mailing list