“This represents another serious incident from a data-breach perspective at TalkTalk; unfortunately not for the first time this year. Questions have to be raised around the point of data-at-rest security and whether organisations are indeed doing all they can to assure that customer data (whether it be credit card, banking details or personally identifiable information) is as protected as it could be in the case of a serious data breach.
We cannot continue to rely on legacy security tools and techniques in the battle against the modern day cyber criminals that are targeting our organisations on a global scale. Fundamentally it is safer to assume that we will be a target of an attack (and in many cases an advanced threat) and look at the problem from the inside out. Clearly it’s important to look at how we can better prevent data breaches and implement more effective tools to identify pre and post compromise activity, however CISO’s, CSO’s and CEO’s should take the lessons learned from the countless data breaches we’ve seen this past while and seek to answer the question on how well prepared is the organisation in the event a data-breach does occur and how can customer data be better protected should the worst happen, says Richard Cassidy, technical director EMEA, Alert Logic.
Clearly there are questions in the case of this breach, as to what mechanisms were put in place to protect the data hackers came after; perhaps too much focus was put on perimeter security and detection of threats, rather than focusing on better protecting what assets attackers would be coming after in the first place. Fundamentally organisations need to start with an intrinsic understanding the anatomy of an attack as the first line of defence. Organisations have responsibility for protecting our data and perhaps a change is needed in legislation to compensate customers who suffer a financial loss as a result of their data being compromised; all too often we see organisations defer liability when a customer suffers a financial loss at the hands of bad actor groups who used the data they stole from a successful breach to compromise the organisations customers. The vast majority of consumers are not I.T or even Security savvy, especially the older generation; it can often be incredibly hard to discern from a bogus call purporting to be your provider (using the data they’ve gleaned from a breach) and a legitimate call. It would be far better for organisations of the ilk of TalkTalk to offer up better information to consumers on how to identify how their data could be used in such campaigns and to take more responsibility in supporting customers who suffer a loss as a result.
Ultimately however it points to the need for organisations to really question their “data-at-rest” encryption standards and capabilities and more importantly the protection of the keys that are used to maintain encryption. If more focus was placed on the assumption that a data breach is highly likely to occur and as a result of this, how can losses be mitigated against should corporate or customer data be exfiltrated. The first answer quite evidently lies in how we encrypt the data we might lose and thus make any attempt at using that data a very tall order indeed for the bad actors to seek it.”
The author of this blog is Richard Cassidy, technical director EMEA, Alert Logic
