When a cyber-attack hits a major, national company, the affect it has is obviously widespread. TalkTalk are one of the more recent cases were a data leak has created scandal in the media and, more importantly, severely impacted on people’s lives. The attack is likely to cost the company up to £35million, with 157,000 customer’s having suffered from their personal details being leaked, from addresses and phone numbers, to bank accounts and sort codes.
Individuals are obviously affected by the outcome, but the company may struggle to recover as well, not just from what has happened, but the way that they handled it too. Although there has been a certain amount of fluctuation, shares in the company have still found themselves down by more than 20% compared to their pre-hack value, showing just how delicate the balance can be when trust is involved.
The £35million estimate comes from a combination of the cost to the company in terms of their response to the incident, the calls to their call centres, all IT costs (shutting the door after the horse has bolted in some respects) and then lost revenue too, with less people risking their personal data with the company by buying online. Upgrades have been offered as a form of compensation to existing customers, and early terminations to those who have been financially affected by the hack.
Perhaps the most telling factor in this debacle is the reaction that TalkTalk had to the leak. Their PR strategy was almost non-existent, to the point where there was no obvious incident response in place. Not only did they get criticised for the hack but were made a laughing stock when pictures of Dido Harding sat on a desk with a VCR behind her were aired and their lack of technological knowledge comically displayed online. It showed a complete lack of understanding and appreciation of the risks, and has further painted them as inept.
Companies across the business world need to think about how they are likely to react when a hack is discovered. The landscape is so toxic now that it is less a case of if you are going to get hacked, and more a case of when. Once you have been hacked you need to plan what you are going to do to resolve it, and strategise for earlier detection.
Logging and alerting is key here. Making sure that logs exist and are being fed into a Security Information and Event Management (SEIM) product ensures someone is paying attention and responding to the alerts. Statistically it takes minutes to hack a system, but months to detect. The average time for detection is around nine months, giving the hacker plenty of time to make themselves comfortable.
The interesting thing about prevention in TalkTalk’s case is that we don’t know if the breach was detected but not acted upon. If Senior Management refused to spend their budget on new systems, for example, then there is obvious fault there. We believe that details like this must be shared and that information of how the hack came about should become common knowledge. It is the only way to help others prevent the same attack from happening to them, the likelihood disclosure is minimal.
The laws and legislation for data protection require the same power as health and safety to prevent this consequence from continuing to happen. Forcing companies to address their data security is the only way to help protect their clients. TalkTalk are just one of many companies who have leaked valuable information though a hack, and there are likely to be thousands more who are at risk through outdated systems and poor data strategy. Until something is done to address this, TalkTalk will not be the only company seeing share prices fall and million pound costs in future.