BreachExchange mailing list archives
Security If you TalkTalk, you should walk the walk: A case of social responsibility
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 4 Dec 2015 14:14:37 -0700
http://www.information-age.com/technology/security/123460622/if-you-talktalk-you-should-walk-walk-case-social-responsibility Following a series of high-profile cyber attacks, cyber security is now at the forefront of business discussions across the globe. The implications of data breaches for businesses are severe, and so it’s no surprise that finding new ways to protect customer information is at the top of the board-level agenda. Protecting customer information is no longer exclusively an IT or security problem, it is a business critical issue. As a result of a recent cyber attack, TalkTalk saw about 21,000 unique bank and sort codes, 28,000 obscured credit and debit card details and 1.2 million customer email addresses, names and phone numbers being compromised. The Culture, Media and Sport Committee has launched an inquiry into cyber security, investigating the circumstances surrounding the data breach and the wider implications for telecoms and internet service providers. A report will then be produced for the government, containing the inquiry’s findings along with recommendations for how to improve online information security. There has been a significant shift in the perception of cybercrime within the business world, as most organisations now accept that it is impossible to eliminate threats altogether. In light of this, one of the biggest challenges companies now face is striking the right balance between building the right level of security capability and retaining company productivity. While research indicates that investment in security resources is steadily increasing, allocating budget is still a major issue, largely due to the fact that return on investment for cyber security is difficult to quantify. So, businesses are left pondering the answers to a number of pressing questions. Where do you draw the line on cyber security? How much do you invest in security standards? And how can you be sure they are ‘secure’ enough to deal with any threats that your business will likely face? A consequence of this is that many organisations are now adopting a risk-based approach to security. Companies categorise their assets – including all kinds of data - according to how critical they are to the business. While it may be pragmatic to categorise in this way, it is an inherently naïve and extremely weak approach. That’s because the biggest danger in terms of data security is not to the board but to the customers – the public who have invested both their money and their trust in a corporation with the belief that, as professionals, they would do all they can to protect personal information. The biggest question companies should be asking themselves is: ‘If we can’t protect our customers’ details, should we even have access to them?’ Customers are well within their rights to posit that if a business can’t protect their details, they should not have access to them in the first place. Protecting customer information should be the minimum requirement for any security standard and if it is not, the business responsible for the shortcoming must face severe consequences. More than just a security issue The regulation of cyber security standards is more widespread than ever before, but there is still a long way to go. Looking at the big picture, it is evident that protecting customer information is not just a matter of security – it is also an issue of social responsibility and accountability. The problem here lies with the fact that businesses continue to exploit ambiguous interpretations of both. Given the importance of adequately protecting customer information, security should form one of the key pillars of any business – and not just as a formality to cap off a detailed strategy, but as an integral component from the very beginning. The ‘out of sight, out of mind’ approach is no longer acceptable – greater punishments for noncompliance need to be outlined and businesses must be held accountable. While stricter regulations may initially seem like a burden, if handled correctly the security procedures put in place will ultimately enable business, rather than restrict it. There are interesting times ahead as the Internet of Things gathers pace and the threat surface widens, meaning companies will have to do much more to ensure the adequate protection of their own, and their customers’, data. Unless the right punishments are enforced, security could remain a risk worth taking.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Security If you TalkTalk, you should walk the walk: A case of social responsibility Audrey McNeil (Dec 07)