Friday 23 October 2015

Look Who's (Talk) Talking?

Guest Blogger: Nick Prescot 
Senior Information Security Manager
There's no doubt that this is the story of the day and since late last night people have been asking me, 'what's happened, when did it happen, who's to blame, what do I do?' It's nice to be thought of in this instance but I'm not in anyway involved with the investigation or have the inside track at the moment...however, this might change!

But what does strike me is that this is a company that processes personal data and payment data of 4 million customers and has been breached 3 times this year!  You would have thought that once is bad enough, twice is rubbing the salt into the wounds but 3 times....golly we must wondering what an earth was going on.

I hope that the CEO has got the full support and confidence in the CISO of the business, or do they have a CISO within TalkTalk. This morning, I had a quick look on my linkedin contacts and I didn't see any sign of a definite CISO.  What is also telling, is that not only is the reputation of TalkTalk suffered another hit (I don't think that anyone can vouch that TalkTalk is famous for its customer service) but it's share price has dropped 10%.  Also on top of this, the ICO and the Met. police are now involved with the investigation.  And remember that the ICO can fine upto £500k, and that's nothing in comparison with the new EU GDPR that might be able to fine upto 2-5% of global turnover.

So, if there is anyone in TalkTalk management reading this, I would ask the following questions;

1) Have all staff had information security awareness training?
2) Has there been a incident response plan tried and tested?
3) Do you have a security operations function that can detect and react to untoward events within your network
4) Do you have a crisis communications plan to deal with cyber security incidents?
5) Ok, you might not be able to encrypt all your data, but was there a data classification exercise to identify all personal and payment data?
6) Finally, the non PCI-DSS question; do you have a business continuity plan that deal with service continuity planning?

If most of these answers are no, then I can understand why there has been a numbers of breaches at TalkTalk, but to have three breaches and not to learn from them is showing that there is a culture of not taking information security as seriously as their customers might expect.

As Oscar Wilde once commented, 'experience is simply the name that we give to mistakes.' - whatever experience has been had, there is little doubt that TalkTalk is the talk of the town and I hope the outcome of this latest breach is that there are other companies out there that realise that they need to ensure that their data is safe, secure and robustly managed!

More about me

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.
Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'

No comments:

Post a Comment