Having followed the recent TalkTalk cyber-attack my thoughts go out to Dido Harding and the somewhat impossible position she has been put in. I am unable to comment on Dido’s knowledge of cyber defence, but I imagine it is rudimentary when compared to the TalkTalk assailants. Large businesses have specialists both internally and externally providing expertise on appropriate threat protection but one mistake can mean the demise of a successful and profitable business. The quantity of commentators pointing out TalkTalk’s multiple failures is no surprise and the victims of the attack deserve a full review of the incident, but what really do we stand to gain from this? Paul Moore, a security consultant with the company Urity, has been referenced in the press as he notified TalkTalk about some significant failings in their cyber defences over a year ago. Mr Moore was allegedly re-buffed with an “aggressive, defensive and dismissive” response. TalkTalk have a different summary of events and either side is believable. However, would plugging the gaps identified by Paul have categorically stopped this or other attacks? The fact that most hacks of this nature rely on employees or customers willingly or un-willingly engaging in the hack make it all the more troublesome.
As someone standing on the side-lines I am starting to feel that companies are defending the indefensible. Are hacks going to happen regardless of how much effort is put into cyber defence? If that is the case do we need to accept that a certain level of data leakage will take place? Should the focus switch to what a company does when a hack takes place not lambasting them for being hacked in the first place?
I agree wholly with Dido when she describes hacking as ‘the crime of our generation’. There is no other corporate torpedo that can decimate a business with such ease and there are no simple answers. Ironically TalkTalk may well be a well-protected telecoms company. The sad truth of cyber-attacks is that defences only need to fail once to create total chaos. Attackers on the other hand have infinite opportunities to fail before they find a weakness (assuming they aren’t arrested in the process). Dido could have insisted that many more millions were spent on defence but should a CEO really be the person deciding on the ‘appropriate’ risk profile? The guidelines for areas like health & safety and financial reporting are clear and auditable, CEO’s should consequently be held responsible. The same cannot be said for the constant cat and mouse of the cyber security world.
I would be very interested to hear people’s thoughts on this topic and whether attempting to build the defences higher and higher is really the answer – do we need a more holistic view?
Callum Wallace is a Consultant in the Technology Practice at Berwick Partners (an Odgers Berndtson company) working on commercial and technical leadership assignments.