Lessons from TalkTalk: UK Parliamentary committee publishes report on 2015 cyber attack
- Published: Thursday, 23 June 2016 08:37
On Wednesday 21st October 2015, there was a ‘significant and sustained’ cyber-attack on TalkTalk. Given the seriousness of the attack the House of Commons Culture, Media and Sport Committee investigated the incident and the resulting report has now been published.
Amongst the lessons identified and actions recommended by the report, several are very relevant to the business continuity and risk management professions. These include:
- ‘It is appropriate for the CEO to lead a crisis response, should a major attack arise. But cyber security should sit with someone able to take full day-to-day responsibility, with Board oversight, and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack. To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.’
- ‘In major organisations, where the risks of attack are significant, the person responsible for cyber-security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has an actual breach.’
- ‘Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on: (i) Staff cyber-awareness training; (ii) When their security processes were last audited, by whom and to what standard(s); (iii) Whether they have an incident management plan in place and when it was last tested; (iv) What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine; (v) The number of enquiries they process from customers to verify authenticity of communications; (vi) The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).’