What's that old saying? People are two missed meals or one jittery champions league group stage match stream away from revolution.
Prior to its disastrous 2015 mega hack, UK ISP TalkTalk had told British spies at GCHQ that should an attack occur, its main focus would be to restore "online sports streaming", according to the head of operations at the country's National Cyber Crime Unit. Speaking at the Cyber Security in Healthcare event at the UK Health …
If I had all teh doors and windows wide open in my property whilst I was out and I was then burgled I might feel like a victim but I would not be as far as insurance company (or anyone with half a brain cell) was concerned.
If you are a major ISP then shoddy security that a few script kiddies can break is not being a victim it is being inept (ignoring security as a niggly cost expense). If they had good security and someone used a zero day to breach them, or some very sophisticated social engineering then they could be more like victims,
Sport priority says it all though & reveals exactly why the were hacked so easily.
as the responsibility cuts across multiple roles in the company."
You are an ISP, you are operating at the front end of a system with known and unknown government and non-government cyber threats, you are the gatekeeper to your customers data and home systems.
Responsibility for security shouldn't be at the line-manager level, it should be at board-level cutting across all areas of the company. What a set of morons.
Borrowing Doctor Syntax's comment as a subject...
Former boss Dido Harding later told MPs there was no specific line manager for cyber security as the responsibility cuts across multiple roles in the company.
That tells us all we needed to know about the Blessed Dido Harding in the job she was supposed to be doing.
If we didn't know it already, that is.
Come on, which dipshit at TalkTalk did the survey?
I would like to be the first to point out that if your network goes down you ain't streaming sh*t so therefore your network is your main priority.
Clearly they passed the survey to a sales droid which just goes to show how completely and utterly useless they really are like my superpower which is the ability to read my own mind.
This is equivalent to a conventional telco saying that in the event of a system outage their priority will be do restore the premium grumble lines, not the 999/911 service. Of course any telco even implying that would have it's operating license revoked for breaching the 2003 Communications Act.
The company estimated the attack cost it £42m. Since then it said it has “substantially” increased its investment in
cyber security, and has appointed a chief information security officer. not giving a shit about security, customer service, and has managed to to be hacked almost quarterly every year since, yet still somehow has customers.
Fixed that for you!
I think blaming the PR team might be a little unfair; their role is to try to make the best of a bad job.
C suite occupants are fair game, though; they created the "bad job" in the first place.
I find myself wondering what the TalkTalk Data Controller has said about the security of customer data; he/she has a statutory responsibility for its protection even if the responsibility doesn't extend as far as ensuring effective cybersecurity.
"Hardest job in the world, that, the old Data Security Officer game... "
Name on the ICO register as the ISO and everything. My fatal mistake was to take the time (my own time, naturally) to read up on the responsibilities I had in law, and then to make reasonable efforts to keep $employer on the straight and narrow. Talk about "How to lose friends an influence people"... when I pointed out that handing customer PII to an offshore (non-DPD compliant) territory was really not allowed, it was pointed out to me that , well, that's interesting, now haven't you got some flashing lights to go stare at? And they carried on regardless. They were probably right, really, the odds of getting caught were zero, and the odds of getting any serious bother if something bad happened at it blew up were low enough when amortised across the five centuries they reckoned it'd take for the bad thing to happen were also so low as to make anything more than token lipservice and auditor-friendly box-ticking the order of the day.
Why bother asking them for a response - Here's the standard corporate PR blurb for these matters:
[InsertCompanyName] takes its customers' security seriously and takes all reasonable precautions to ensure the safety of customer data and internal audit has been initiated to establish the severity of any data breach. We cannot comment further until this investigation is completed / the press have lost interest.
On a different note, it occurs to me that any organization publically advertising for a CIO in charge of cyber security may well be inviting themselves to be hacked. - It's a bit like telling the guy at PCWorld you know nothing about computers and showing him a wallet full of £50 notes.
"We do not recognise these comments. Our biggest security priority has always been protecting our customers"
I wonder what their actual biggest or highest priority is, because I assume its making money. At this point I will give TalkTalk a plus star (1 out of 10) for saying biggest security priority and not lying by saying it was their biggest priority.
If this attack only cost them 42 million, then they haven't done a good enough job of ensuring this doesn't happen again.
It costs a lot more than 42m for a company like this to investigate the entire network, hire more InfoSec professionals, ensure the systems are clean, purchase more InfoSec equipment, create policies, audit policies, update legacy systems, hire more employees to tackle customer relations and damage control, not to mention loss of subscriptions, etc..
Total cost should be around 200-400 million, not 42.
Either we aren't being told the truth, or they're still too ignorant about information security.