As the CEO of any business will tell you, there are good times and bad times.
On a good day you deliver something for your customers, like Homesafe, which when we introduced it was the first free filtering service that put parents back in control of the content their children see online. Then there are bad times; days where you ask yourself: ‘what could I have done differently, what do I need to do differently now?’ In all my years in business, October 2015 will stand out as one of those times.
In October 2015, TalkTalk was hacked. Like most large corporates, we successfully defend against cyber attacks every day; this was the first to succeed. It wasn’t initially possible to tell how much data had been taken, nor which customers had been affected. But we knew an illegal raid on our online estate had taken place, and we knew we had to let people know, so they could protect themselves. Over the following days, weeks and months, we would wrestle with this unfolding situation in the full glare of the media spotlight, learning as we went the harsh realities of an event which had hitherto been a theoretical ‘risk’.
There were some tough lessons for TalkTalk – things I believe in hindsight we could have done differently, and which we are fully facing into now. There were also things we came to realise were simply not well known or understood generally across business, consumers, or the media. Even government and law enforcement are racing to get a grip on this rapidly evolving threat.
I am determined, to the greatest extent possible, to share what we learned (the good and the bad) in the same spirit of transparency and openness with which we approached the cyber attack itself. That’s one of the reasons I am pleased TalkTalk is able to support this Journal. What happened must be both a critical driver of change for TalkTalk, and also a wake-up call for every other business which believes it can’t, or won’t, happen to them. The reality check for many of those companies is: it probably already has.
Perhaps the most important lesson for me, is a real acceptance that of course the digital world has a dark side, just like the physical world.
Telecoms companies like TalkTalk are passionate champions of the digital revolution. But like everything in life, this comes with risks as well as rewards. I have come to understand that nobody in business is yet spending enough time or money thinking, worrying or talking about, the anti-social and criminal ecosystems that have naturally evolved along with the online world. Centuries ago, we began to civilise our society, with values, ethics and laws; but we are only just beginning the digital equivalent of that process.
As with crime on the streets, we’re now engaged in a war online – against criminals who seek to steal our information and use it against us. This activity comes in different forms: from nation states and organised gangs, to misguided young people in high-stakes games of digital ‘dare’. We must start recognising it, and tackling it, with the same determination as we do crime in the physical world.
Part of the problem is that nobody expects it to happen to them. And no-one (myself included) knows enough about it. Business leaders, governments and charities are largely not digital natives. Unlike teenage ‘script kiddies’, growing up immersed in technology, we’ve had to work out how to live in this new world.
Because it’s a complex, technical area, the temptation is to allow cyber security to operate in a silo within a business. While many companies say it’s a board-level issue, in reality that often means CEOs wanting to be told by their Chief Technology Officer that everything’s under control, that ‘we’re safe’. The troubling reality is that there is no such thing as totally safe. Any Chief Technology Officer who says otherwise is part of the problem. The only way to be completely protected is to stop all online activity.
So whilst we can never be totally ‘safe’, both individuals and businesses can change the way we perceive and handle the risks. As a CEO, I have learned that the right question is not ‘Are we safe?’, but ‘What risks are we taking and what could be done to mitigate them?’ That doesn’t require a PHD, nor a knowledge of coding. You just need to be unafraid to ask the important questions. And if risk is being approached and discussed differently in boardrooms after what happened to TalkTalk, that can only be a good thing.
The next issue is that when it happens, nobody talks about it. In the weeks following our attack, we were supported by several highly experienced security and law enforcement organisations, all of whom presented the same fact: it is far more common than anyone likes to believe, or to admit.
The reality is that the problem is growing exponentially worse. Nine out of ten large UK businesses have suffered a security breach, yet the vast amount of these go unreported. Add these Government figures to the 200 ‘major incidents’ GCHQ handled each month over the summer of 2015, and it’s clear that what happened to TalkTalk was not a rare, one-off occurrence. The difference is that we chose to make it public.
Some see this as a controversial, even naive, decision. Of course it’s tempting as a CEO to get yourself to a place where you believe it’s unnecessary, or won’t help. But going down that route will only destroy customer trust and perpetuate the problem. Faced with either warning all our customers early so they could protect themselves; or waiting (in the end it took two weeks) before we could isolate who was affected and in what way, I firmly believe we made the right choice.
That decision came with consequences, both financial and reputational. But I hope any Chief Executive faced with this choice in future will take courage from this fact: all independent brand metrics and customer feedback we have tells us we benefited from doing the right thing. The topline message from customers is that yes, they’re worried about their data; but they don’t think what happened was our fault, and they appreciate how we dealt with it.
In fact, over and above any other factor, it’s the honesty and openness with which we approached the cyber attack which shaped customers’ attitudes to what happened. It was that decision which provided the foundations on which we are now rebuilding their trust, and which will enable TalkTalk to emerge from what happened a stronger and better business.
“I am determined, to the greatest extent possible, to share what we learned”
But being honest in admitting that the cyber threat is growing doesn’t mean conceding defeat. There are things we can do to fight back.
We can dramatically ramp up both reporting requirements for companies which have experienced a data breach, and fines for employees caught committing a crime of this nature. Current rules mean that the vast majority of these incidents go unreported – customers simply never know. This leaves them vulnerable to scammers and criminal gangs from the moment that data is stolen. Over the long term, it also risks undermining customer confidence in the digital economy altogether. Transparency has to be our friend in this fight. A reformed reporting system, with proper sanctions, is a good start.
We can also ensure businesses, government and law enforcement have a clear, streamlined approach to planning for, and handling, these incidents. The Government’s announcement of a one- stop shop ‘cyber hub’ will vastly improve the current system, where businesses which have suffered an attack are faced with a multitude of different agencies, with diverse objectives and protocols.
As a telecoms company, TalkTalk was fortunate in having strong links with several government agencies which were able to provide useful first points of contact. This is not the case across all sectors, or sizes of business.
Companies can also do much more. More management time, more investment, greater transparency, a different approach to risk. These are all hard earned lessons for TalkTalk, from which I hope other companies will benefit.
“The most important lesson for me, is a real acceptance that of course the digital world has a dark side, just like the physical world”
Some companies, like telcos, can actually offer products which keep customers safe and make it harder for criminals to target them. For example, the sheer amount of data now online means customers are ever more vulnerable to data- related fraud. Often (as was the case with TalkTalk) what the criminals get hold of is not enough on its own to steal from a customer. But it might be enough to scam customers into handing over their money themselves. Telecoms companies can block these scam calls and emails at source, and provide privacy and safety features for customers to protect themselves. But for the last two years, TalkTalk has been the only provider offering these services for free. We now block around 70 million scam calls each month. Some providers are following suit and offering these services free of charge. But the vast majority still don’t, and I would very much like to see this become an industry-wide commitment.
No technology solution is ever perfect though. So arming customers with better information about the tactics criminals use, and how to stay safe, is also critical. We all need to think about changing our behaviour. For instance, we’ve all clicked ‘remind me later’ when our applications ask us to update the software. But without these updates, our systems become vulnerable to evolving security threats. Another example is the need to start treating people online or on the phone as we would face-to-face. When someone phones up purporting to be from an organisation, we must learn to view them with the same degree of healthy suspicion as if they’d knocked on our door.
But this isn’t a purely defensive game.
It’s time we took the fight to criminals. Last year, the Chancellor committed to giving our police and security agencies the resources they need to find, disrupt and prosecute the networks behind attacks. We should support that. It’s time to shine a light on those currently hiding in the shadows.
The combined effect of these endeavours should ensure that the internet does not become a digital Wild West, but instead operates within the legal, moral and social framework of a civilised modern society. Even after everything that I have learned and experienced in the last few months (or perhaps because of it), I remain optimistic that we can do it. Of course it won’t be perfect, because human beings are not perfect. But a civilised digital society is possible and I’m determined that TalkTalk plays its part in helping us get there.