» ISP News » 

Inquiry Threatens to Fine ISPs and Companies for Internet Security Fails

Monday, June 20th, 2016 (3:14 pm) - Score 472
police united kingdom

A cross-party Culture, Media and Sport Committee has published the outcome from an inquiry into Internet (cyber) security, which was setup following last year’s TalkTalk hack. The report recommends a series of changes, including jail terms for “data abusers” and fines for those who “fail to report, prepare for or learn from data breaches“.

The attack against TalkTalk’s web server and customer database, which appeared to combine a Distributed Denial of Service (DDoS) assault and later an SQL Injection exploit, exposed the personal details of some 156,959 customers to abuse and could end up costing the ISP around £80m; not forgetting the many subscribers who have since switched provider.

Sadly the Information Commissioner’s Office (ICO) has yet to produce a final verdict on the TalkTalk cyber-attack and today’s report suggests that their 30 staff might not be enough to handle the 200,000 or so public concerns received per year, although the incident did at least help MPs to recognise that cyber security is something that needed to be given greater consideration.

As such today’s report starts by praising TalkTalk’s “prompt” admission of the attack and “strong crisis management,” which it largely attributes to the leadership of CEO Dido Harding. However it also notes that not enough detail has been provided and then proceeds on to examine the wider issues.

Jesse Norman MP, Chair of the Committee, said:

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.

As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.

They should now publish as much of the PWC investigation as commercially possible without delay, and set out exactly how they will implement any necessary changes. Everyone must take the lessons from the Talk Talk breaches as a wake-up call – both in how they prepare to prevent cyber-attacks, and in how they deal with their consumers when those attacks occur.”

The report claims that 90% of large organisations have reportedly experienced a security breach and 25% of companies experience a cyber-breach at least once a month. The public sector was also found to suffer from similar problems, with the health and local government sectors being hit by the most data breaches of all.

However, not all threats to cyber security or data protection are from external actors, with over 40% being caused by employees, contractors and third party suppliers (half of these are said to be accidental). In keeping with this the inquiry has made a series of recommendations.

Company responsibility and consumer rights

* Companies must report their cyber security and data protection strategies to the ICO.

* They should also include these in their annual reports, in the same way as the requirement for environmental and social reporting where material: quadruple bottom line reporting.

* It is appropriate for the CEO to lead a crisis response, should a major attack arise, but cyber security should sit with someone able to take full day-to-day responsibility who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack.

* To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security.

General recommendations

* Companies must make it much easier to verify if communications, whether online or by telephone, are genuine. The ICO’s system of sanctions should include fines for companies that fail to do this.

* It should be easier for victims of a data breach to claim compensation.

* It is not enough for companies to say they weren’t aware. Breaches are common, and all companies need to plan and test for that eventuality.

* Further, they need to demonstrate they have identified and addressed the weaknesses that have led to any data breaches.

* The vulnerability of the massive new data pools that will be created by the Investigatory Powers Bill needs to be urgently addressed by Government.

* Good cyber practice will need to evolve and develop: this is essential to maintain consumer confidence and Britain’s place as the top internet economy in the G20.

* There needs to be a step change in consumer awareness of on-line and telephone scams, and the Government should initiate a public awareness-raising campaign, on a par with its campaign to promote smoke alarm testing.

* We support the ICO’s call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data.

The inquiry should form a useful foundation for future changes, although it’s perhaps worth considering the other side of the story. Firstly, nothing is ever 100% secure and no organisation, business or individual can ever truly claim to be completely safe; enterprising hackers will always find a way around even the best security, assuming there’s even a clear definition of “best“.

Similarly not all businesses or organisations, especially smaller ones, will have the money or skills necessary to guarantee (if possible) that they have the best security. Meanwhile that lack of knowledge may lead some to assume that they are safe when in fact the opposite may be true. Education and assistance would perhaps be a more productive than simply imposing a fine, which penalises an entity that has already suffered damage through a criminal attack.

The threat of a fine may also have the undesired impact of encouraging those who have suffered from a cyber-attack to not report it, which is especially relevant since some criminals will blackmail their target with requests for money in order to stop an attack against the targeted entity/group. As a result some may end up finding it cheaper to pay the criminal rather than risk a fine from being honest by reporting the later breach.

On top of all that there’s a wrongful assumption above that the target will know they’ve been hacked, when in reality this only happens if the attacker needs to be aggressive in order to break into a system and that can leave a noticeable trail of damage. However other hacks, especially those that aim to steal personal data, may happen without the target even being aware and only those organisations that have full visibility / control of their network might spot the activity and even then it’s not always obvious.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
0 Responses

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £19.95 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPER20
  • Plusnet £21.99 (*35.98)
    Avg. Speed 36Mbps, Unlimited
    Gift: £50 Reward Card
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • TalkTalk £22.95 (*29.95)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2714)
  2. FTTP (2599)
  3. FTTC (1756)
  4. Building Digital UK (1699)
  5. Politics (1604)
  6. Openreach (1562)
  7. Business (1387)
  8. FTTH (1310)
  9. Statistics (1206)
  10. Mobile Broadband (1177)
  11. Fibre Optic (1043)
  12. 4G (1013)
  13. Wireless Internet (997)
  14. Ofcom Regulation (993)
  15. Virgin Media (976)
  16. EE (671)
  17. Sky Broadband (655)
  18. TalkTalk (644)
  19. Vodafone (641)
  20. 5G (472)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact