Dido Harding: We must confront the dark side of the internet
If companies are going to protect their customers against cybercrime they must be honest with them, writes Baroness Harding
In October 2015 TalkTalk was hacked. Throughout the attack we were determined to be open and honest with customers, but it’s since become clear that our experience was also a wake-up call for corporate Britain. In that same spirit of transparency, I’m committed to sharing what we learned, in the hope that this proves a catalyst for the change needed to protect Britain from the growing cyber threat.
The most important lesson for us has been that effective defence against cybercrime begins with an acknowledgement of the threat. Whilst the internet is a tremendous force for good, it also has a dark side which nation states, terrorists and criminals seek to exploit. We don’t leave those threats unchecked in the physical world; we must begin to confront them online as well.
Because cyber security is a complex, technical issue, it is often exists in organisational siloes. CEOs may say it is a board level matter, but frequently they are simply asking their technical team whether they are ‘safe’. In truth, no business can be 100% safe. Not without ceasing to trade online and surrendering Britain’s status as a leading digital economy.
Instead, we must get better at understanding and minimising risk. For a CEO, that means not asking ‘are we safe?’ but rather ‘what risks are we taking and how do we mitigate them?’ Leaders are paid to assess and balance risks. Cyber security is no different. We must learn to ask the difficult questions and face the answers.
What happened to TalkTalk is unfortunately far from unique. What is rare is that we chose to tell people. Government figures show nine in ten large organisations suffered a data breach last year, and GCHQ deals with over 200 major incidents each month. The vast majority go unreported.
The logic for covering up an attack is obvious. Companies worry about reputation, customer loyalty, share price. Our attack had consequences for all three. Some of my peers privately tell me I was naïve to speak out. Even with the benefit of hindsight, I completely disagree.
Warning our customers quickly helped protect them. We worked with banks and credit checking agencies to monitor accounts. We provided information to help customers change passwords and identify scams. By contrast, keeping customers in the dark exposes them to criminals. That may be an uncomfortable fact for many businesses, but it is a fact.
The reality is that being honest with customers pays dividends in the long term, as shown by customer polling since our attack. Yes, customers are concerned about their data, but our approach has actually been rewarded with a significant rise in trust levels in TalkTalk since the attack. Clearly there’s still work to be done on this front, but my advice to other CEOs is be brave. Protecting customers is the right thing to do and the best way to protect your company long term.
Telecoms companies have a special responsibility in this fight. Criminals often lack sufficient data to steal from customers, but through scam calls will persuade people to hand it over. TalkTalk is still the only provider proactively blocking malicious calls at source, for free – over 70 million each month. It is time the entire industry stepped up.
We must also do more to help customers identify scams. TalkTalk has launched a set of ‘Nevers’ (things we will never ask a customer to do) so they can distinguish genuine contact from scams. We’re now working with our industry peers to standardise that list as a vital part of how we arm and protect customers.
It’s not just companies that must change; government must also act. Currently, only telecoms companies are legally obliged to report data breaches, and the rules are so broad as to be arguably avoidable in many situations. This is unacceptable – whether personal details are stolen from a phone company, department store or restaurant, customers have a right to know. Reforming reporting requirements must sit at the centre of the forthcoming Digital Economy Bill. I can’t think of a more important way to protect the digital economy than ensuring the rules strengthen consumer confidence in it.
SMEs, in particular, need help planning for and handling incidents. They don’t have the teams and contacts TalkTalk had in our moment of need. The government’s new ‘cyber hub’ will help ensure businesses know where to turn in a crisis. But larger businesses must also do more to share knowledge and learnings.
The online world does not have to be a ‘Digital Wild West’. Whilst it can never be 100% safe (any more than the physical world can be) I’m confident we can create the legal and moral frameworks to civilise the digital world. I am determined that TalkTalk’s experience helps us get there.
Baroness Harding of Winscombe is Chief Executive of the TalkTalk Group and a Conservative peer