Most of us accept that a part of being successful in business is about delivering products and services in which customers can place their trust. That trust should ideally extend from the product itself through the people who make it, to the Board that runs the company. Apple is a good example of this working in practice.
I recently sat through a panel session during which very senior representatives from global technology companies, addressing an audience full of wealthy investors, were bashing on about the wonders that new tech innovation delivers to the masses. You know the sort of thing – wearable tech, driverless cars, personal head-up displays, big data and so on.
During the 45 minutes of panel talktalk about the perceived huge benefits that new technology brings to billions of people around the world, none of the speakers addressed issues of trust, integrity, confidence, security or safety! When I took the opportunity to point this out – silence was their immediate response. This was followed by the usual bland statements about how important these issues are to every company that wants to do well. Really?
Almost every week the media landscape is littered with news about companies that should know better. Companies that have permitted cyber breaches to occur and that have as a result, failed their customers. I use my words carefully here. It’s simply not good enough for companies to complain about being attacked by cyber criminals as if that can be an excuse for failing to deploy adequate protective measures. Did I hear the TalkTalk CEO trying to deflect responsibility by suggesting that this is the sort of event that is happening to all businesses? In other words, we’re no better than all the others that have been hacked, so don’t hold us responsible.
Well, of course, if law enforcement agencies ever catch-up with the perpetrators and manage to bring them to justice – a highly remote possibility – then maybe justice can be seen to be done. But don’t hold your breath!
If you’re in the business of running a large company that stores millions of citizens’ personal and financial data (which customers are required to provide in order to pay for a product or service), it is unacceptable to attempt to off-load responsibility for securing that data by siting others that have failed. Every CEO and every Board in every company in the world must know that their systems will be attacked in this way. If they hold information of use, they will be targeted and if they have not been breached yet, then the chances are they will be – unless they take appropriate measures to protect their systems.
There are no excuses left to companies or governments that fail their customers or citizens in this way. As a Board of Directors, if you fail to protect information against unauthorised compromise, you are either negligent in your duties or you are incompetent. Either way, if this occurs, you don’t deserve to be the custodians of our information nor do you deserve to have our trust or our patronage.
The recent TalkTalk breach of customer’s personal and financial information (and here I must make it clear that I am one of them) is lamentable for many reasons. Not only was this the third breach in very recent times, but from what we understand, the cause of the intrusion was a fundamental (“SQL injection”) flaw in their systems that should have been fixed before their servers were ever put into operational use. To add insult to injury, the company apparently failed to encrypt customer data.
For a technology company the size of TalkTalk with over 4 million customer records to protect, this inability to implement a very basic information security risk management strategy effectively, should, once again, sound alarm bells in all companies regardless of their line of business.
Our dependence on technology is a fundamental part of almost any business infrastructure and, therefore, our absolute requirement to secure it, must be a top priority for all business leaders. This doesn’t apply only to large national or multi-national enterprises – although they ought to set an example. It applies to companies of any size in any sector that uses technology to drive business growth and to support the company’s operation.
So what should a company do right now, if it doesn’t want to be the next victim of a cyber attack?
First, companies of all sizes should start by implementing the UK Government’s Cyber Essentials Scheme. If you are one of the few that have ISO 27000 series accreditation then you’re probably well placed to defend against attack, but you cannot afford to be complacent.
The Cyber Essentials Scheme has been put together by industry and government experts to help companies implement a straight forward range of measures and controls that if carried out correctly, will help mitigate 80% of cyber threats that exist today.
Education, awareness and training of staff is also a fundamentally important aspect of cyber protection which many companies ignore at their peril. Many technical exploits by cyber criminals today are accompanied by a combination of email and telephone social engineering techniques. It is imperative that staff be made aware of what these attempts will look like and how attempts to gain information can be identified.
There are no silver bullets that will protect companies and citizens from cyber attack. But there is sufficient expertise out there and some great solutions that companies can use, if only they are willing to make the investment in their own cyber protection. By employing the best people in their technology and security departments; by giving a Board position to someone who understands the issues and what to do about them; and by implementing the Cyber Essentials Scheme, companies of all shapes and sizes will earn the trust of their customers and the respect of their industry peers.