Since the cyber attack on our business in October 2015, TalkTalk has been determined to share what we learnt from our own experiences with other businesses, consumers and policy makers. Speaking at the Telegraph Cyber Security Conference on 25 May, TalkTalk Director of Corporate Affairs and Regulation, Jessica Lennard, set out what she learnt from our attack, how other businesses can learn from it and what changes are needed to better protect British consumers. You can watch the full video below, but key themes included:
The need for greater transparency: Questioned on TalkTalk’s decision to go public about the attack, Jessica stressed the need for greater transparency in the fight against cyber crime. Being open with customers is not without consequences, but our experience has shown that it pays dividends over time. The business has higher customer brand loyalty scores and consideration than before the attack. Jessica challenged the notion that staying quiet is the best way to protect a business and its reputation.
The need to ask the right questions: Jessica argued that boards needed to change how they manage cyber risks. She said all too often boards ask ‘are we safe?’ and looked for binary ‘yes/no’ answers from security teams. The only way to be entirely safe is not to trade online. Instead, boards should be asking ‘what risks are we taking and how do we minimise those?’. This allows us to truly understand the nature of the external threats we face – and take action to protect ourselves and our customers.
Cyber security as a business, not security, issue: There is always more data, in more places, than you would want. And as a complex, technical area, it’s more likely to be dealt within a silo by tech or IT departments, than properly understood and mitigated across the whole company. Jessica set out how TalkTalk has made a comprehensive effort since last year to truly embed security in everything we do.
The need for legislative change: Jessica argued that legislative change is needed to better protect businesses and customers. Government data shows 9 in 10 organisations have suffered a successful cyber attack, but in most cases, legislation doesn’t require them to tell regulators or customers. That facilitates a culture of cover up which threatens to undermine consumer confidence in the digital economy. Jessica set out the case for the mandatory reporting of successful attacks to drive a culture change in how Britain manages cyber risks.