Once the hype died down it turned out that instead of the 4 million customer records stolen, it was under 200,000 – with less than 30,000 of those including payment details
Like most good stories in the media, the latest spate of data hacking is the usual combination of scare mongering, ignorance and genuine issues. Once you remove the hysteria and trumped up assumptions the picture starts to looks a little different.
TalkTalk, Ashley Madison and now US banks have all been hacked, with millions of customer records stolen. Identities will be used, bank accounts drained, and secrets exposed – the fears and worse case scenarios are very real. However, in the case of TalkTalk, once the hype died down it turned out that instead of the 4 million customer records stolen, it was under 200,000 – with less than 30,000 of those including payment details.
This is not to downplay the experience for those customers, which must have been frightening and concerning. The real issue is what led up to these events – and how poorly most businesses are prepared from a risk and crisis management point of view.
Senior people are often ill equipped to understand the details, design and risks of holding data
Senior people are often ill equipped to understand the details, design and risks of holding data. Most IT people operate within software ‘stacks’ or technology applications – with little understanding of how to protect data.
In the old world, you prevented security risks to data because it sat within core software and systems installed on boxes in your office or data centre. Access was controlled by user rights, monitoring and a strong ‘firewall’ approach.
Everything is digitised
Now that everything is digitised, data must flow more freely to deliver a personalised and multi-channel experience, to make real-time recommendations and to update prices and stock. Data can reside in a number of places and must be able to be accessed from multiple sources.
What has changed are the opportunities, gaps and flaws in a bigger ecosystem of software and technology
Understanding privacy and security at a data level rather than a systems level is the fundamental paradigm change.
Hacking is not new, it has been going on since the first days of the internet and remote access of systems. What has changed are the opportunities, gaps and flaws in a bigger ecosystem of software and technology. Hacking ‘culture’ has always been around – there are just more opportunities for criminal masterminds and the criminally bored to find the gaps.
Not taking ownership
Most businesses have not kept up. It’s not a part of core risk management, senior people aren’t taking ownership, and data is not given the transparent and ethical customer focus required.
Businesses will need to shape up. If they continue to ignore the problem because senior management isn’t up to the job, the control will be taken out of their hands and regulation will be imposed.