lolloj - Fotolia

Business not taking cyber security seriously enough, says Dido Harding

Most businesses are still not taking cyber security seriously enough, according to the former CEO of TalkTalk, which suffered a major data breach in 2015

Recounting the cyber attack on TalkTalk on 22 October 2015, former CEO Dido Harding said it was around lunchtime that she received the email that every CEO dreads.

“It was an anonymous email addressed to me purporting to be from the hacker with a link to data, and it was very clear, very quickly that that was credible,” she told the Security Innovation Network (Sinet) Global Cybersecurity Innovation Summit in London.

The reason TalkTalk is still thriving, she said, is that in the following 24 hours the business chose to be completely open about what was happening, which is something few companies do.  

TalkTalk knew it had been attacked and that the attackers had accessed customer data, potentially including bank account details and credit card details of possibly all of its customers.

“We also knew it was going to take us a while to work out exactly whose data had been stolen, and our judgement was that our responsibility was to look after our customers as best that we could,” said Harding.

“Our judgement was that the best way to protect our customers was to tell them that their data had been stolen,” she said. “The biggest risk, we concluded, that our customers faced was that they would be scammed. We argued that we could protect our customers if we warned them.”

Unlike just about every other company in the UK, Harding said TalkTalk chose to be completely open and honest that it had been attacked and to use the media to warn customers that their bank account details may have been stolen.

“With that came hysteria and panic, which we all learned was not a good idea, but what also came out of it was that our customers thought that we had done the right thing. Our customers thought we had done good. In a time of really difficult trouble, we tried to look after them when other businesses historically haven’t,” she said.

As a result, Harding said TalkTalk’s brand reputation 18 months later is stronger than it was before the attack, fewer customers leave TalkTalk, and the business is in many ways much better than it was before because of what it learned.

“As it happened, we didn’t have as much data stolen as we thought. In the end, 157,000 customers’ bank account details were stolen although we warned 4 million. But in doing so, all of our customers thought we had done the right thing in protecting them.”

We weren’t taking security seriously enough, says Harding

The biggest lesson learned, said Harding, was that TalkTalk and everyone else is not taking cyber security seriously enough, even though she had personally worked with GCHQ and reviewed the company’s cyber defence plan because, as a telco, TalkTalk is part of national infrastructure.

“We thought we were taking it seriously, but of course we weren’t taking it seriously enough, and no one is. A lot of business leaders are afraid of it, and want to delegate it down,” she said.

“Most CEOs and most boards tend to ask, ‘Are we safe?’. That is the wrong question, but the most regularly asked question by boards and CEOs of their CTOs or CISOs.

“It is a really easy question to answer. No. Whoever you are, you are not safe. Unless you are choosing not to operate in the digital world at all, you are taking risk,” she said.

Business leaders want to abdicate responsibility for cyber security, but they can’t, and I learned that in the heat of battle
Dido Harding

When someone on the TalkTalk board asked that question four months after the breach, Harding said the CTO replied that the company never would be completely safe.

“He said, ‘What I will tell you is the risks we are taking, what we are doing to mitigate them and what risks we are willing to accept to keep trading’.

“Business leaders want to abdicate responsibility for cyber security, but they can’t, and I learned that in the heat of battle,” she said.

Harding said she also learned that non-techies can understand “this stuff” and that engineers can speak English. “Sometimes you need to push them quite hard, but they can. The most important thing that we have to change culturally in business and government is encouraging both tribes to have a conversation with each other.”

CEOs must understand ‘tipping point’

The hardest decision she had to make as CEO, said Harding, was deciding when it was safe enough to bring TalkTalk’s systems back up again and allow customers to use its online systems.

“As it turned out, we were the victims of a blackmail attack from some teenagers, but we didn’t know that at the time. Once we had all the publicity, we were the perfect attack target for the really bad guys, so deciding when to bring our systems back up was the most difficult decision,” she said.

It is important for the CEO to understand the risk, said Harding, because there is a tipping point at which the cyber risk is smaller than the risk of not turning the systems back on again, which is a business decision.

“I needed my technical teams to explain to me in English what the risks were so I could decide how much business risk I was willing to take before we brought the systems back up again. For TalkTalk, that has transformed the quality of our technology conversation as a company,” she said.

The cyber attack, said Harding, has changed the way TalkTalk develops its products and “massively improved” the integration between the technical experts and the customer-facing teams because they understand how to talk to each other in a way that they did not before.

Focus on the basics

The other big learning, said Harding, is that getting the basics right is really difficult. “I don’t like the term cyber hygiene because it implies that those who haven’t got their hygiene right are stupid, but it is just darned hard to do,” she said.

However, Harding said just by focusing on those basics, many companies, including TalkTalk, could have prevented a cyber attack.

“We were guilty of not knowing our total network footprint. We were attacked on a website that was no longer being used, hadn’t being used by a company we had bought 10 years ago, and hadn’t been picked up by any of the due diligence done.

“Now you can argue that we should have found it, but we hadn’t. On that website, which was developed more than 10 years ago, there was a SQL injection vulnerability, which was obvious if you knew it existed – but we didn’t,” she said.

It is very important for organisations to know their networks, said Harding, adding that the larger the organisations is, the older the systems are, and the more acquisitions that have been done, the harder this is to do.

Since the breach, Harding said TalkTalk’s risk profile has changed dramatically. “TalkTalk can’t afford to have another cyber attack, so the company has done huge amounts of training, education, testing and fake phishing scams.”

Security professionals must “demystify” digital and cyber

Harding, who left the company during the second week of May 2017, said she is now “quite passionate” about encouraging board members to ask the right questions about the risks.

“One of the most important questions to ask is where your people are most vulnerable. Mostly, this is now where business leaders expect,” she said.

“The personal assistants of executives, are in fact, one of the most vulnerable access points, and yet few organisations recognise them as a security risk. In a telecoms network, it is not the CTO, but the network engineers who happily post on LinkedIn what they do,” she said.

Harding said while there is some “amazing technology” that can make the job of business leaders’ easier to make their businesses safer, but there is a “hugely important” education role for information security professionals to demystify “digital” and “cyber”.

If you do what is right for your customers, it will work out OK
Dido Harding

“The danger is that leaders in business abdicate responsibility and resort to tick-box audit checking, and fail to realise that [cyber security] is one of the single most important things every organisation has to do more of than they have done before,” she said.

Harding said it was “empowering” to know that the company was doing the right thing by deciding to be open and honest.

“We endured a month when we couldn’t service customers online and we lost a lot of customers and it cost us a lot of money – around £80m in total – but it didn’t bankrupt the company and it taught everyone in the company that, if you do what is right for your customers, it will work out OK. That has been a life-affirming experience for all of us,” she said.

Read more about TalkTalk

  • TalkTalk has overhauled security since its controversial data breach in 2015, according to CTO Gary Steen, and is investing in technology to beat its rivals on customer service.
  • The Information Commissioner’s Office issues its largest ever data protection fine after more than 150,000 customers had their data exposed by TalkTalk breach.
  • Internet service provider TalkTalk throws down the gauntlet to its rivals by making a number of changes to its packages that it claims will put customers’ interests first.

Read more on Data breach incident management and recovery