Security If you TalkTalk, you should walk the walk: A case of social responsibility

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123460622/if-you-talktalk-you-should-walk-walk-case-social-responsibility

Following a series of high-profile cyber attacks, cyber security is now at
the forefront of business discussions across the globe.

The implications of data breaches for businesses are severe, and so it’s no
surprise that finding new ways to protect customer information is at the
top of the board-level agenda. Protecting customer information is no longer
exclusively an IT or security problem, it is a business critical issue.

As a result of a recent cyber attack, TalkTalk saw about 21,000 unique bank
and sort codes, 28,000 obscured credit and debit card details and 1.2
million customer email addresses, names and phone numbers being compromised.

The Culture, Media and Sport Committee has launched an inquiry into cyber
security, investigating the circumstances surrounding the data breach and
the wider implications for telecoms and internet service providers.

A report will then be produced for the government, containing the inquiry’s
findings along with recommendations for how to improve online information
security.

There has been a significant shift in the perception of cybercrime within
the business world, as most organisations now accept that it is impossible
to eliminate threats altogether.

In light of this, one of the biggest challenges companies now face is
striking the right balance between building the right level of security
capability and retaining company productivity.

While research indicates that investment in security resources is steadily
increasing, allocating budget is still a major issue, largely due to the
fact that return on investment for cyber security is difficult to quantify.

So, businesses are left pondering the answers to a number of pressing
questions. Where do you draw the line on cyber security? How much do you
invest in security standards? And how can you be sure they are ‘secure’
enough to deal with any threats that your business will likely face?

A consequence of this is that many organisations are now adopting a
risk-based approach to security. Companies categorise their assets –
including all kinds of data - according to how critical they are to the
business.

While it may be pragmatic to categorise in this way, it is an inherently
naïve and extremely weak approach. That’s because the biggest danger in
terms of data security is not to the board but to the customers – the
public who have invested both their money and their trust in a corporation
with the belief that, as professionals, they would do all they can to
protect personal information.

The biggest question companies should be asking themselves is: ‘If we can’t
protect our customers’ details, should we even have access to them?’

Customers are well within their rights to posit that if a business can’t
protect their details, they should not have access to them in the first
place. Protecting customer information should be the minimum requirement
for any security standard and if it is not, the business responsible for
the shortcoming must face severe consequences.

More than just a security issue

The regulation of cyber security standards is more widespread than ever
before, but there is still a long way to go. Looking at the big picture, it
is evident that protecting customer information is not just a matter of
security – it is also an issue of social responsibility and accountability.
The problem here lies with the fact that businesses continue to exploit
ambiguous interpretations of both.

Given the importance of adequately protecting customer information,
security should form one of the key pillars of any business – and not just
as a formality to cap off a detailed strategy, but as an integral component
from the very beginning.

The ‘out of sight, out of mind’ approach is no longer acceptable – greater
punishments for noncompliance need to be outlined and businesses must be
held accountable.

While stricter regulations may initially seem like a burden, if handled
correctly the security procedures put in place will ultimately enable
business, rather than restrict it.

There are interesting times ahead as the Internet of Things gathers pace
and the threat surface widens, meaning companies will have to do much more
to ensure the adequate protection of their own, and their customers’, data.
Unless the right punishments are enforced, security could remain a risk
worth taking.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!