A Stark Reminder for CEO's
This week's cyber attack on TalkTalk serves as a stark reminder to CEO's of their ultimate accountability for the protection of customer data, not to mention the negative effect on brand reputation should they be found wanting in their security posture. Sure, CIO's and CISO's have strategic input and teams delivering security internally but you won't find them on the morning news, should a breach occur. That responsibility falls firmly at the feet of the CEO.
As the news feeds trickle with details of the breach, what is clear is TalkTalk's customer data, personally identifiable information (PII), and financial data was not adequately safeguarded against this type of attack, that now seem to be an almost daily occurrence.
I struggle to understand, as a consumer and as someone working in the cyber security market, when a myriad of technology solutions exist to anonymise sensitive data and render it worthless to an attacker, why are so many companies finding themselves in this situation. Breaches are becoming more sophisticated and more financially impactful to the business and their customers.
The cost of this breach is currently unknown but speculating on the cost to run targeted campaigns to inform the 4M customers of the breach, the cost to customer service for supporting a disgruntled customer base, the credit fraud service for all customers that will run for 12 months and the value of lost business due to mistrust, it will surely outweigh any initial cost for providing adequate protection of data in the first instance.
CEO's may well be asking themselves this morning, "are we doing enough to protect our customer's data?" Technologies that protect sensitive data are increasingly becoming the enterprise's insurance policy for this very real threat. The CEO's of the uninsured businesses will ultimately pay the price, should they be subjected to an attack. The bottom line is, if security isn't elevated in the boardroom and adequately funded, each and every one runs the risk of being the next awkward interview on the morning news.
The latest BBC reporter seemed to imply that TalkTalk had misinterprated PCI DSS compliance. If this is indeed the case, a policy was in place, albeit poorly executed. Ignorance or ineptitude really doesn't cut the mustard, this is a very simple security standard to adhere to and one countless other organisations seem to achieve. My real concern is how systemic a problem is this? Ask me a month ago and I would have assumed TT to have this in hand especially in light of the targeted DDoS attacks previously but given their failing, how many other companies are operating ignorantly to basic security principles?
Good article. I saw the interview with the CEO on the BBC website. It was not clear if there was even a policy to encrypt sensitive data. 2 questions: * What was the data security policy? * Was the breach down to i) having no policy ii) poor implementation of the policy or iii) simply outfoxed by the hackers?
Absolutely agree with you here.
Could not agree more with this post