This blog was part of the Expert Blog Series for the Cifas Future Crimes conference 2016.
Last October’s cyber attack was a challenging time for TalkTalk and our customers, but seven months later we are a better, stronger business as a result. It was a big decision for the company to be as open with our customers as we were. At the time we firmly believed it was the right thing to do, and our customers have since rewarded us for it with higher brand loyalty and consideration scores than ever before.
Cyber crime is not a problem unique to TalkTalk and we have been determined to share what we learnt from our own experience with other businesses, consumers and policy makers. Before October, like many other companies, we genuinely thought that we took cyber security seriously. We had increased our spending on cyber defences year on year and it was discussed at every board meeting. Ultimately though, we underestimated the true scale of the challenge and, going by the exponential rise in cybercrime across the UK, we’re far from the only ones to have done so.
One of the key learnings for us has been that cyber security is really a business, not a technology, issue. There is always more data, in more places, than you would want. And as a complex, technical area, it’s more likely to be dealt with in a silo by tech or IT departments, than properly understood and mitigated across the whole company. We’ve made a comprehensive effort since last year to truly embed security in everything we do.
Another major lesson for us is the realisation that we were asking the wrong question of our tech team. “Are we safe?” is, ultimately, a meaningless question: the only way to be 100% cyber safe is to stop doing business online. Instead, we now ask “What risks are we taking?” This allows us to truly understand the nature of the external threats we face – and take action to protect ourselves and our customers.
Ultimately, if we’re going to tackle the problem effectively, we need to start having an honest, transparent discussion about cyber crime, sharing information and best practice and working together across industries. Being open with customers is not without consequences, but our experience has shown that it pays dividends over time. It also means we can now play an active part in helping confront the cyercrime threat. What happened to TalkTalk should be a wake-up call to every other business which believes it cannot, or will not, happen to them. The likelihood is it already has.
Jessica Lennard, Director of Corporate Affairs and Regulation