The cyber-buck stops in the boardroom…

• by Ellie Hurst
• Advent IM Blog

Advent IM Security Consultant, Del Brazil gives us his view of some of the comments and take-outs that ALL boards need to be aware of, following Dido Harding’s appearance before a parliamentary committee on the TalkTalk Breach.

The TalkTalk security breach continues to roll on with the TalkTalk CEO Dido Harding telling a parliamentary committee on 23.12.15 that she was responsible for security when the telecoms firm was hacked in October. Although there was indeed a dedicated security team in place within TalkTalk it is unrealistic to place the blame solely at the feet of the security team as security is a responsibility of the whole organisation.  It is fair to assume that in the event of an security related issue, as in this case, one person must take overall responsibility and be held to account for the potential lack of technical, procedural measure that may have prevented the breach occurring.

It is a fair assumption to make that in the event that the security breach can be attributed to a single individual then that is an internal disciplinary matter for TalkTalk to resolve unless there is a clear criminal intent associated with the individual concerned.

It is worth noting that although every effort maybe taken to implement the latest security techniques or measures that there is always the possibility that a hacker, like minded criminal organisation or even a disgruntled member of staff may find a way through or around them.

As long as an organisation can demonstrate that they have taken a positive approach to security and considered a number of possible attacks and taken steps to mitigate any potential attack, this may satisfy the ICO that the one of the key principles of the DPA has been considered.

Organisations should always consider reviewing their security measures and practices on a regular basis to ensure that they are best suited to the ever changing threat.  It is appreciated that no one organisation will ever be safe or un-hackable but as long as they conduct annual threat assessments and consider these threats in a clear documented risk assessment they can sleep at night knowing that they have taken all necessary steps to defeat, deter and/or detect any potential attack.

The TalkTalk security breach has highlighted a number of failings, in the opinion of the author and although they are deemed to be of a serious nature praise should go to the TalkTalk team for being open, honest and up front from the onset.  This has resulted in quite a lot of bad press from which TalkTalk are still feeling the effects from; although some people say that ‘all publicity is good publicity.’  It is clear that TalkTalk are taking the security breach very seriously and are fully engaged with the relevant investigation bodies whilst making every effort to bolster their current security posture.

It is very easy for board members to assume to the role of Director of Security without fully understanding the role or having any degree of training or background knowledge.  Any organisation should ensure that it employs or appoints staff with the correct level of knowledge and experience to specific posts thus facilitating the ‘best person for the best role’ approach.  Currently security, but more specifically IT Security, is seen as a secondary role that can be managed by a senior person from any area within an organisation; however it is finally becoming more apparent to organisations that the IT Security role warrants its own position within the organisational structure of the organisation. Pin Image courtesy of Master isolated images at FreeDigitalPhotos.net

In the author’s opinion it is the organisations that have yet to report security breaches that are more of a concern as no one knows what level of security is in place within these organisations.  It’s not that the author is skeptical that there is an insufficient amount of security in place within these organisations but the fact that they do not report or publicise any cyber security related incidents that is of concern.  No one organisation is that secure that a breach of cyber security or at least a cyber related security incident doesn’t occur.  It’s far better for organisations to highlight or publish any attempted or successful attacks to not only assist other organisations in defeating or detecting attacks but it also shows a degree of transparency to their customers.