TalkTalk counts true cost of cyber insecurity


Following the TalkTalk breach profits are down. Elvis might have said way on down, in fact. IT Security Things says this should come as no surprise to anyone, other than perhaps those who still don’t take security seriously enough.

At the time of the TalkTalk breach, IT Security Thing commented that the company “was paddling up shit creek without a canoe” and insisted “customers need to know that anyone who holds their data, especially credit card and banking data, is doing all they can to properly secure it.” Our updated summing up of the incident at the time stated “TalkTalk and Baroness Harding have given the appearance of an organisation and CEO scampering around in blind panic, issuing statements and giving interviews without actually knowing the facts of the matter, and creating far more fear, uncertainty and doubt amongst customers than it looks like was actually necessary.”

TalkTalk was paddling up shit creek without a canoe

TalkTalk customers, it would appear, tended to agree. Hardly surprising when 157,000 of them were impacted directly by the breach and around one in ten had bank account numbers and sort codes accessed. We now know that the telecoms outfit were stuffed with some £42 million in costs associated with the breach, and it has also been revealed that pre-tax profits fell from £32 million down to £14 million year on year as a result.

TalkTalk CEO Dido Harding has said the company takes security incredibly seriously and has “brought forward spending on security.” To which we here at IT Security Thing have already responded “What, by £18m?”

Without wishing that this turns into a Dido-bashing exercise, we really do have to point out again that the way the company, and the CEO, handled the breach announcements were a poor example to others. Ultimately there was no major theft of anything, and less than 4 per cent of the customer base were effected; yet the reputational damage has been enormous as those profit losses show.

Here’s what some other IT security industry folk are saying.

Raj Samani, CTO EMEA at Intel Security, says, “reports revealing TalkTalk’s profit slump in the wake of last year’s cyber attack should serve as a warning to corporations across the globe of the impact cybercrime can have to the bottom line. Focusing efforts on rebuffing opportunistic cybercrime tactics does not go far enough to defend against such threats. To safeguard against targeted attacks companies need to embed cyber security decisions into the normal risk management process of the business. This will ensure measures are in place that are designed to not just stop an attack, but that security processes and technology ensure systems are back up and running and data security is restored as quickly as possible once an attack has been detected.

“Today, detection and correction of a cyber attack, is just as important as the initial protection stage. Corporations cannot afford to dismiss cyber security as a problem solely for the IT department. The financial future of a corporation – or that of its customers – can hinge upon the security of the information stored, so it is crucial that the CFO, CEO and other executives take an active role in understanding the level of cyber risk they’re exposed to in order to establish a meaningful and effective cyber security strategy. This process will include taking stock of the value of the company’s data assets and implementing mitigation strategies appropriately proportioned to the level of risk involved.”

“a warning to corporations across the globe of the impact cybercrime can have to the bottom line” Raj Samani, Intel Security

Mark Skilton, Professor of Practice at Warwick Business School and researcher into cyber security, says, “it is not surprising that profits have halved in TalkTalk following the cyber-attack in October 2015. TalkTalk lost 101,000 subscribers in the third quarter alone. However, with a turnover of £1.83 billion and 2.4 per cent growth it may be able to ride the impact. Nevertheless, it highlights the potential impact of cyber-attacks to businesses. This matters because the cost of acquiring customers for companies is 10 to 20 times greater or more through sales and marketing expenditure than retaining existing customers with occasional incentives or just general good service availability.

“The loss of a customer is a big deal as it represents not just lost future revenue, but in the case of a cyber-attack, it is the lost brand reputation and commercially a potential fatal blow. The issue is even with the extra spend a company would need to make in order to recover and win back customers, this inevitably becomes three to five times harder as the ‘cat is out of the bag’ in terms of the need to repair perception to the brand, regardless if you have an improved the security and internal operating disciplines. The impact also spreads across to other sub-brands the company may have and onto the sponsorships associated with the brand. In the highly competitive telecoms market this is a blow to TalkTalk, but the damage done by this cyber-attack is one example of a wider threat that is increasingly going to create more risks for many organisations.”

Cameron Ross, director of payments strategy at UK payment security technology firm Eckoh, says, “what’s clear is that a porous approach to customer data, however unwittingly, can have an equally porous impact on profit and reputation. A 50 per cent fall in profits underlines the existential importance of deploying iron-clad security technology. In the past, businesses have been able to rely on customer inertia, but those days are gone.

“Robust security is vital, as is having the systems to ensure that no unnecessary customer data is held, especially at a time when we are all digital nomads. If hackers blow a hole in the security of your customer data, your customers will blow a hole in your profits. Data security is a boardroom issue. If it’s not on the agenda, your risk management strategy is a colander.”

Intercede CEO, Richard Parris, says, “the constant stream of cyber attacks over the last year (Ashley Madison, Carphone Warehouse and most recently Minecraft) has left consumers weary. And today’s news of TalkTalk’s enormous loss in profits as a result of suffering a major data breach is proof there will be dire consequences for companies that continue to ignore consumers’ call for better digital security. Trust between consumers and service providers is at an all-time low; TalkTalk’s unfortunate fate should act as warning to all.

“With forthcoming EU privacy protection laws rumoured to include fines for service providers who do not adequately protect customer data, now is the time to act. In order to restore consumer faith and trust, companies must adopt better methods of security, away from the outdated and ineffective methods of yesteryear, including the archaic password. If companies want to continue to profit in the digital economy, a more proactive stance is required. The industry must work together to ensure that security is embedded into the very fabric of the technology ecosystem, from the silicon chips that power our smartphones and connected cars, to the services and apps we use in our day-to-day lives.”