UK companies have started to realise how vulnerable they really are in the wake of numerous data breaches over the past few years, none more so than the recent hack of TalkTalk.
Customer data, business reputation and even high-level jobs are at risk from sophisticated hackers, and firms now understand the need to tighten security or face mass data theft and potential financial ruin.
But will this drive an influx of investment into cyber security ? It took a number of successive breaches on our own shores before UK firms properly took note, according to a number of security experts, despite major breaches at the likes of the US Office of Personnel Management1 and Ashley Madison2.
Instead, it was the hack on mobile and internet provider TalkTalk3 which experts agree has left a lasting impression on business leaders in the UK.
“The TalkTalk data breach has certainly forced boardrooms to look at their cyber security strategy and question if they are properly equipped,” Bharat Mistry, cyber security consultant at Trend Micro, told V3.
“When the CEO of TalkTalk had to face the media, it was distressing to see that she did not know the extent of the breach . She was unsure of what systems were breached, or the type and amount of data affected .
The negative media coverage has been a big factor in companies looking at security, and no business wants to be the next TalkTalk.”
Five arrests have been made since the hack in October4 that resulted in the loss of millions of sensitive customer records, including names, addresses, email addresses and partial credit card details.
Focused minds
David Emm, principal security researcher at Kaspersky Lab, told V3 that the scale of the breach and the fall out has “definitely focused minds” at other firms.
“Companies now realise that the most worrying aspect of the TalkTalk case is that it didn’t take much effort to breach its security,” he said.
“The consensus is that, while nobody can be 100 percent protected, nobody should be vulnerable to trivial and unsophisticated attacks.”
Mark James, a security specialist at ESET, agreed that the breach at TalkTalk was a wake-up call for UK firms. “Companies large and small now realise that it is a very real threat and they need to take measures to protect themselves,” he told V3.
“Often only when it hits the headlines do companies look and listen and make significant changes because most of the time these big companies are overseas . TalkTalk in the UK is a lot closer to home but making companies look at their security and procedures in case of a breach can only be a good thing.”
Andy Herrington, head of cyber professional services at Fujitsu, also agreed with this assetment, nothing that the firm has had more conversation about security since the breach took place.
“I can honestly say that since TalkTalk we have had more and higher level conversations at C-level . There’s always some amount of finger pointing but they are not going to be an isolated case .
It’s very easy to point the finger but it’s yet another company that has been damaged and that can’t be good for any economy,” he said at a roundtable event attended by V3.
“People are thinking I don’t want to have to make those calls’ and actually the conversation has changed for the better in the UK since TalkTalk . It was the catalyst that has changed attitudes and that’s got to be a good thing.”
Making the case for cyber investment
One aspect of this rising threat of breaches is the realisation that the problem is no longer confined to the IT department and upper management must take an interest.
“Only when cyber security becomes a board-level issue will businesses be one step ahead of hackers,” Richard Olver, EMEA vice president at security firm Tanium, told V3.
“The simplest questions are often the hardest to answer, which is why cyber security strategy has to permeate all business levels including, and especially, the board.
“How many companies can correctly answer How many computers are on the network?’, What applications are running on my computers?’, What is the vulnerability and patch status across all my devices?’ . Until they can, risk will prevail.”
Olver explained that hackers are not becoming more sophisticated but that weak business security strategies make it easier for criminals to get in.
Spend, but spend wisely
So will UK firms now throw more money at cyber crime protection?
“Major breaches generate motivation and excuses .
Spending isn’t the same thing as investment, and excuses don’t prevent breaches,” said Tim Erlin, director of security and product management at Tripwire.
“There’s little doubt that a significant breach affects security investment, and it’s not always new product purchases . If you find yourself explaining why your organisation can’t be the next TalkTalk, pause and examine whether you’re making excuses or describing actual defences you have in place.”
Kaspersky’s Emm mirrored this statement, saying that spending is important but that combating cyber crime is “not always about money”.
“The TalkTalk CEO said that the company didn’t know what data was encrypted, and knowing information of this sort doesn’t have a price in the way that purchasing and deploying hardware or software does . The key, therefore, is to have a risk assessment and strategy in place,” he said.
Indeed, given all the awareness that’s now out there from the recent breaches, there is now no excuse for a company to claim that it was not prepared for a cyber hit, according to Fraser Kyne, principal systems engineer at Bromium.
“The TalkTalk incident has been a wake-up call for people .
But it’s not the first .
Certainly it will provide a clear message to chief execs that if something like this happens they can expect to be paraded in front of a voracious media – and they’d better have some good answers to some tough questions,” he told V3.
Fending off cyber crime is more important than ever for UK firms, and the hackers will not relent .
Most recently, toy manufacturer VTech was hit with a breach5 that resulted in the loss of up to five million customer records.
V3 heard last week from some leading security at major organisations about the most important steps to take to protect data, with most urging firms to focus on protecting their ‘crown jewels’, in order to minimise their risk6.
References
- ^ V3: US government admits 21.5 million records taken in OPM hack (www.v3.co.uk)
- ^ V3: China and Russia collecting Ashley Madison data for intelligence purposes (www.v3.co.uk)
- ^ V3: TalkTalk hack: Met Police arrests fifth suspect in relation to breach (www.v3.co.uk)
- ^ V3: TalkTalk hack: Met Police arrests fifth suspect in relation to breach (www.v3.co.uk)
- ^ V3: Toy maker VTech suffers major hack and data breach (www.v3.co.uk)
- ^ V3: Firms must focus on protecting the ‘crown jewels’ when deploying defences (www.v3.co.uk)
The post TalkTalk breach could be good for cyber security in the long run appeared first on News4Security.