Baroness Dido Harding, the former CEO of UK-based Talk-Talk, opened Infosecurity Europe 2018 by warning other business leaders of the importance of board-level input when it comes to security risks.
Reminiscing on the website hack of October 2015, Harding stood by the company's decision to make customers aware of the attack on the same day it happened – despite police and several others disputing the decision.
According to Harding, the priority was to look after customers' interest and protect their data and privacy even though 12 hours later they were still unaware of what data, and how much of it had been taken.
"Within about 12 hours, it was very clear that we didn't know what had been taken but a lot of data could have been taken," Harding said on stage. "In the heat of an incident, the really difficult thing is you don't know.
"We knew that potentially all of our customers' data had been stolen but we didn't know exactly what had been stolen and we knew it was going to take us a while to find out."
The company later found that the data of over 150,000 customers had been breached, with 15,656 bank account numbers and sort codes stolen.
Harding emphasised that TalkTalk's desire was to focus on the customer, which Harding explained as a different approach to the Metropolitan Police and GCHQ (Government Communication Headquarters), which instantly wanted to catch the criminals.
"We were actually the only people whose objective function was to look after our customers," she added. "It wasn't that the Met were doing a bad job but their objective was to catch the crooks; GCHQ's function was national security."
Harding claims that the company's brand was more trusted three months after the attack than it was before. This was a result of being open with customers on the state of their personal data.
When discussing the external process, Harding said: "We were not a company that didn’t take cybersecurity seriously, at least that's what we thought...What happened to us is that we were a young and immature business; we were a business that had grown through a lot of acquisitions.
"A business that we bought had a legacy website that had an extremely simple SQL vulnerability in a legacy website that had not been used in two of those three acquisitions."
Harding made it clear that ahead of the attack, TalkTalk was doing the right things to protect customer security, but the company "didn't even know the shed was there and then in the shed, there's a completely wide open window," she said.
“The more I talk to other chief execs that have gone through similar experiences, it is the legacy that gets you. It's acquisitions and legacy within acquisitions that gets you and it is business leaders not really hearing from their security experts," Harding explained.
Harding believes that business leaders and boards are not asking the right questions. They should focus on decommissioning any old technologies and make it a priority to ask "what are the risks, what are we happy with and what do we need to mitigate?" Harding advised.
Most boards, even up until now, want to overlook cybersecurity responsibilities and leave it to the experts in the business despite it being a board issue.
Harding shared that one of the most difficult decisions was knowing when it was safe enough to go back online, which in hindsight could have been easier if the board had been involved.
"My security and technology professionals team at Talk Talk wanted to take that decision themselves, and they couldn't," she added.
As heard from an ex-CEO perspective, a lesson to company boards is the need to participate in security talks and do more to hear from security teams.
"I realised that really smart engineers can speak English," she added. "It requires extreme pressure sometimes but they can and also general managers can understand. We learnt as a team at TalkTalk that's magic."
This article originally appeared on Computerworld UK.
