TalkTalks’ recent misdemeanour has been widely covered by all forms of media the last few days. It’s hard to escape the coverage it has been receiving. From a hackers point of view, was it third time lucky? It has to be questioned why the company waited so long to take action - a classic case of burying their head in the sand perhaps.
Dido Harding, CEO, TalkTalk, stated in a recent interview that as an organisation they had “no legal obligation” to encrypt customer data. I find this extremely difficult to comprehend! As an organisation who process customer payments they will annually submit a PCI DSS audit. It would be of great interest to see what they have previously submitted, as Harding obviously has no knowledge of it. As a company, processing payments on a daily basis, for a customer base of over 4 million, it’s worrying to think that PCI DSS compliance was not a priority.
Not only has Harding shown a blatant disregard for the encryption of customer details, but she adds insult to injury by offering what can only be described as awful advice to customers. During a BBC interview she suggested clicking the link within the email which will take you to the help site and also looking at the header of the email it will be from a TalkTalk address. Clearly she hasn’t been informed of the fundamentals of phishing.
If the CEO of an organisation can show such a limited knowledge of such standard social engineering advice, it leaves me worried for the levels of information security overall. This only acts to strengthen the fact that when a company embarks on an awareness campaign of any form it needs to target everyone; including their senior Executives.
Having executive buy in is always a good start but let’s not forget that executives can sometime be a risk to the information security stance of an organisation.
At this point TalkTalk share price has fallen by 20% and their reputation is in tatters. I think Ms Harding's company will become the poster child for how not to run a CyberSecurity governance culture within a modern organisation.