The TalkTalk hack six months on: Businesses can't repeat its mistakes

It’s now been over six months since TalkTalk suffered a massive hack, where almost 150,000 customers’ personal details were stolen. In the time since it first found that cybercriminals had broken through its defences, the hack has cost the company more than £60 million and over 100,000 customers.

The company has suffered a great deal, primarily from one of the big problems of cybersecurity: you don’t realise how valuable it is until it’s too late. Its chairman, Dido Harding, said that with the benefit of hindsight the company should have done more to protect itself. However, she also contends that even if it had been accredited by Cyber Essentials – the government-backed scheme designed to help businesses to protect themselves against cyber threats – the hack still couldn’t have been fully prevented.

The benefit of hindsight, though, is immaterial. TalkTalk didn’t take steps in time, and suffered as a result. Now that we’re six months on, with the full scale of the reputational damage the hack has wrought in full view, businesses must be careful not to repeat its mistakes.

What happened in the TalkTalk hack?

As many businesses, not just those in the financial space, now handle personal banking data, security is of paramount importance. The TalkTalk hack saw almost 16,000 full bank account number and sort codes accessed, while a further 28,000 customers had their obscured credit and debit card number accessed. Many customers have been rightly horrified that this information is now in the hands of cybercriminals, but what’s really disconcerting is that they’re joining an already large proportion of UK banking customers who have been affected by cybercrime. Our most recent research has found that one in five Brits (20 per cent) has been a victim of cybercrime, including having their identity, money or online banking details stolen.

While this is a large and worrying figure, what is encouraging is that hacks like the TalkTalk one do seem to have raised the profile of cybersecurity. Almost half of those we surveyed (48 per cent) said that they were very concerned about their online banking details being stolen. They’re also changing people’s attitudes to their online security, as almost a third (30 per cent) said that they would like their bank to provide advice about how to stay safe online.

Learning from the hack

This isn’t just a lesson for banks though, all businesses can learn a great deal from these insights as well. Any business of any size that deals with consumers’ data has a duty of care – regardless of its nature. If it’s personal data, the business must take every necessary step to protect it. The lesson businesses need to take from the TalkTalk hack is not to leave it until it’s too late to put strong security measures in place.

Dealing with cybercrime

A big problem with cybersecurity preparation is that you never know who might be targeting you, and yet it’s important to understand the enemy you’re facing. Cybercriminals are faceless, operate in the shadows, and are extremely technologically-savvy. They are also adaptable, able to keep trying various different approaches to get to the data they want to reach. As a result, the security measures businesses need to put in place to keep them out also have to be adaptable, able to identify when something is wrong and put a stop to it quickly and effectively.

It’s also important not to underestimate the scale of the threat. A popular method for hackers and fraudsters is to use bespoke criminal software obtained on the dark web. An enormous variety of software exists on the dark – or hidden – web, where it is sold via an untraceable marketplace. Much of this software has been specifically designed to help criminals crack businesses, and particularly to exploit their websites. This marketplace is no small aberration either, it’s become a billion dollar industry, and according to security researchers G DATA, 12 new strains of malware are created every minute.

As time has gone on, these strains of malicious and exploitative software and the methods hackers use have evolved. One of the big problems with the current security mind-set is that even as the threat has become more sophisticated, the focus has remained on perimeter defences. In the financial services industry, that’s an overreliance on passwords, PINs and even newer methods like biometric security, all trying to keep criminals out. To fight effectively against today’s cybercriminals and the software they use, we now need to look past the point of entry for hacking threats so that we can cope with them if they do manage to get in. Just as with building security where systems include alarm systems and sensors both at the point of entry as well as within the building, businesses also need to focus on cybersecurity within the applications themselves.

TalkTalk has now of course recognised the dangers these cybercriminals pose, and has taken steps to ensure it never again suffers as it did six months ago. However, the damage is done. What businesses now need to do is learn from TalkTalk’s mistakes and take steps to make themselves as secure as possible. As TalkTalk now knows, any delay could be catastrophic.

Clayton Locke, Chief Technology Officer at Intelligent Environments