Only 30 government staff work on UK’s corporate data breaches – and 10 other things we learned from the TalkTalk case

Written as editor of the New Statesman’s NS Tech and first published here.

The Culture Media and Sport Committee (CMSC) released a pretty whopping report yesterday prompted by the massive TalkTalk data breach. As it points out, eight months later, we are still awaiting the Information Commissioner’s verdict on the incident.

But, in the meantime, the document paints a reasonably dire picture of where we are right now – while also offering a few recommendations that could change the handling of the UK’s cyber security. Every cloud…

  1. The Information Commissioner received almost 200,000 data protection referrals in the year to March 2015 – there are just 30 staff dealing with those, working on “approximately 1,000 cases at any given time”
  2. The committee has recommended that the Information Commissioner “makes an assessment of resources and priorities as soon as possible” – AKA – get more staff
  3. TalkTalk reported 14 data breaches to the ICO in the two years before the most recent attack – but during that time was kept off the Information Commissioner’s ‘watch list’ of risky businesses
  4. TalkTalk’s CEO Dido Harding said she saw herself as both “accountable and responsible” for security, but the committee said it would be “highly unusual” for the head of a breached company to resign
  5. The committee recommended the rather un-novel idea of allocating responsibility to a chief information officer
  6. It also suggests that “a portion of CEO compensation should be linked to effective cyber security”, instead Harding has just received a £2.8m pay packet
  7. The committee has also recommended a public awareness campaign like that rolled out for smoke alarms, stating that “consumers also have a responsibility to protect themselves”
  8. But it also said it’s “no longer a defence” for companies to say they aren’t aware of the potential for SQL injection or other well-known exploits, with “escalating fines” proposed for poor performance
  9. The committee expressed surprise that there is “no requirement to make security a major consideration in the design of new IT systems and apps”
  10. It suggests that “security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary”
  11. The committee itself used both the terms ‘on-line’ and ‘on line’ within its report, which doesn’t give you much faith in its understanding of online threats…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s