IT disaster recovery, cloud computing and information security news

Daisy

Lessons from TalkTalk: UK Parliamentary committee publishes report on 2015 cyber attack

On Wednesday 21st October 2015, there was a ‘significant and sustained’ cyber-attack on TalkTalk. Given the seriousness of the attack the House of Commons Culture, Media and Sport Committee investigated the incident and the resulting report has now been published.

Amongst the lessons identified and actions recommended by the report, several are very relevant to the business continuity and risk management professions. These include:

  • ‘It is appropriate for the CEO to lead a crisis response, should a major attack arise. But cyber security should sit with someone able to take full day-to-day responsibility, with Board oversight, and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack. To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.’
  • ‘In major organisations, where the risks of attack are significant, the person responsible for cyber-security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has an actual breach.’
  • ‘Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on: (i) Staff cyber-awareness training; (ii) When their security processes were last audited, by whom and to what standard(s); (iii) Whether they have an incident management plan in place and when it was last tested; (iv) What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine; (v) The number of enquiries they process from customers to verify authenticity of communications; (vi) The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).’

Read the report.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.