TalkTalk talk of recovery – hopefully no joke for their customers

talktalk_logo_0

TalkTalk have announced that their profits halved following the cyber attack on the company in October 2015.  Profits fell to £14m down from £32m the year before. The fall is attributed in part to the costs from the cyber attack by a number of hactivists in the UK (six arrests have been made – all individuals are under 21).

TalkTalk lost 101,000 subscribers in the quarter immediately following the attack where the  personal data of around 160,000 was compromised. This included email addresses, names and phone numbers, plus 21,000 unique 21,000 unique bank account numbers and sort codes.

TalkTalk’s immediate response was to play hardball with any customer trying to leave – quoting contract terms and penalty fees should they go.  Nowhere in their response was an identification of their responsibility for safeguarding customer data – and the onus fell to the customer to prove that any loss of future money was solely due to the hack.  So, for example, if a customer was spear-phished through social engineering as a result of the compromised personal data, that would be the customer’s fault.

If there was an Incident Response Plan (they had suffered previous breaches in the preceding year), then there’s little to show any learning outcomes to date.

Despite this, TalkTalk CEO Dido Harding maintains today that the company has recovered and that the customer churn experienced in the first quarter following the attack has since stemmed, indicating in her eyes, customer satisfaction.

Total revenues are reported to have grown 2.4% to £1.83 billion in the 12 months to 31st March 2016.  However, no matter how upbeat the CEO talks up the positives in May 2016, their PR mishandlings, lack of probity and lack of knowledge, indicates a disrespect of the customer, who (along with their data) should be and feel cared for, at all times.

So we’ll need to wait and see over the next 12 months what the figures and customer base numbers reveal.  However, one thing that is certain, the company’s failure to manage and protect their customer’s data with due diligence and probity has led to a very public sullying of the brand and ridicule in some boardroom circles.

The TalkTalk debacle should go into the lexicon for all future Board directors as a lesson in how not to do Disaster.  For any Board today, at least one member must understand and be accountable for cyber so that the appropriate reviews, decisions, IT investments and staff education are undertaken. This means:

1. Understanding cyber and identifying what your data crown jewels are
2. Ensuring your company has up to date security policies and practised procedures following ISO27001 compliance procedures
3. Interrogating your company’s infrastructure interrogated regularly for vulnerabilities and plugging any gaps
4. Working with data security specialists to monitor any devices, any infrastructure, any locations where your business or staff operate to ensure you maintain end point security at all times.

Amicus ITS has a Security as a Service offering, called Foxcatcher.   If you wish to speak to one of our team to discuss your organisation’s security.  Call us on 02380 429429.

 

Does your company include “cyber” on the Board agenda every month?

Amicus ITS has long been an exponent of the merit of having an IT expert on a company Board.  Indeed ‘cyber’ has been on Amicus ITS’ own Board’s monthly agenda for the past 18 months.

As we continue to convey this good practice recommendation with our customers, this message is now being endorsed by HM Gov’s Treasury department in a direct appeal to the major UK banks.

As reported in The Sunday Times (240116), Andrew Tyrie, Treasury committee chairman and Tory MP for Chichester, wrote to the major financial institutions over the weekend demanding that they take urgent steps to thwart hacking and data theft.  “Bank IT systems don’t appear to be up to the job”, he said.  “Every few months we have yet another IT failure at a major bank.  These IT weaknesses are exposing millions of people to uncertainty, disruption and sometimes distress.  Businesses suffer too.  We can’t carry on like this”.

The remedy is no magic potion.  The Treasury MP is advocating hard investment in computer systems and that banks answer to a new group within the financial regulator, the Prudential Regulation Authority.

No banks are immune.  Barclays, HSBC, Lloyds and the UK tax payer’s own bank Royal Bank of Scotland (RBS) have all suffered outtages.  Most recently, HSBC suffered a two day failure in its online banking services in January 2016. This follows last August’s dropout when a glitch prevented salaries being paid ahead of the August Bank Holiday.  Other banking failures have included mortgage and pension payments. RBS which has experienced many problems was fined £56 million in 2015 for an IT glitch in 2012 that left millions of customers unable to access their accounts.

The Deputy Governor of the Bank of England, Andrew Bailey is expected to head up a new specialist IT unit within the Bank of England’s Prudential Regulation Authority to ‘ensure lendors are investing enough in their systems’.  We wait to see whether this specialist financial regulator post has the teeth and influence to create the necessary change and improvements required – and soon.  If our banking blog of 31st January 2014 is anything to go by, it could be a very long wait.  Could this MPs plea be one of hope more than expectation?

Irrespective of business sector, it is a timely reminder for companies not to put off updating infrastructures or reinforcing vital firewalls by holding on to unspent, shored up profits post recession.  In our technically challenging world, businesses cannot afford NOT to maintain and future-protect their IT systems, let alone ignore recommendations to invest in protecting against increasingly sophisticated and cynical cyber threats facing every organisation.
• 80% of cyber attacks in 2014 were preventable (source:   Ponemon Institute)
• Only 21% of companies say their Board gets comprehensive information about cyber threat*.
• Only 17% of Board members believe they have a full understanding of the risks*.

Action – do a cyber health check review of your company after today:

• Re-evaluate the crown jewels of YOUR organisation (key information and data assets)
• Review risk from 3rd party suppliers (get into active compliance).
• Be pro-active and transparent about risk – your customers will thank you.
• Arrange for a cyber threat ‘pen test’ and get in shape for 2016.

In the constantly evolving world of cyber security, the wise understand that there is no panacea against cyber attack, it is just a matter of when – however, those best armed against the enemy will be the ones best prepared for attack, understanding and prompt response.