Boardroom cybersecurity

Enterprises, SMBs must gird for new rules and protect sensitive data – or pay hefty price

Boardroom cybersecurityBritish telecom giant TalkTalk actually may have gotten off lightly when privacy regulators hit the British telecom giant with a £400,000 ($496,910) fine last week for failing to prevent a major data breach.

The fine, issued by the U.K.’s Information Commissioner’s Office is, indeed, for a record amount. And it will clearly hurt TalkTalk, both financially and in reputation.

Yet it comes just before Europe is about to get much more serious about penalizing corporations that give short shrift to protecting sensitive data.

In May 2016, the European Parliament ratified the new General Data Protection Regulation (GDPR), which will apply in all European states beginning May 25, 2018. Some of the key aspects of this regulation are the mandating of reporting data breaches and the increase in the maximum fine levels.

Under the new legislation, the maximum fines for exposing or misusing customer’s personal data can reach the higher of either €20,000,000 ($22.4 million) or 4 percent of worldwide annual turnover. In TalkTalk’s case 4 percent of its worldwide annual turnover from its May 2015 financial reports would have totaled £71.8m. That would have translated into a fine of $88.51 million vs. $500,000.

Not an isolated incident

The larger point is this: The security practices for which TalkTalk was fined, unfortunately, are still all too common among large enterprises, let alone small and midsize businesses.

From Oct. 15 through Oct. 21, 2015, hackers breached its network and exfiltrated data for 156,959 individuals, including names, addresses, dates of birth, telephone numbers and email addresses.

The information was accessed using a SQL injection attack on three vulnerable web pages TalkTalk inherited as part of a 2009 takeover of British Internet Service Provider, Tiscali.

Hackers hone attack methods

A SQL injection hack involves querying the databases underlying a web page—until the database hiccups and accepts an injection of malicious code. The intruder then gains full access to the data and a foothold to roam deeper.

SQL injection attacks have been around for years and traditionally were done manually, requiring time and skill. Over the past few years, organized crime rings have perfected automated SQL injection attacks that use botnets—networks of 10,000 or more infected PCs—to probe the internet for vulnerable websites and efficiently execute breaches en masse.

Technologies for staying current on security patches and for testing and continually tightening up web applications are readily available. They’ve been used by large financial institutions, the marquee technology companies, and big government agencies for more than a decade.

Vulnerabilities known but ignored

Of course, technology alone is not enough to keep business networks secure. People, policies and procedures all need to align to emphasize protecting sensitive data. However, the TalkTalk fine is the latest evidence that this basic tenet of the internet age has not been as widely embraced as it needs to be.

Consider that in six years since acquiring Tiscali, TalkTalk had failed to scan the pages for vulnerabilities, or to update any of the security packages around them. The attack originated from a bug that had a patch available for several years.

Hopefully the threat of material government fines will get the business community more focused on what it takes to operate effectively in today’s threat landscape.

As Britain’s Information Commissioner’s Office puts it: “Today’s record fine acts as a warning to others that cybersecurity is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

This article originally appeared on and was written by Thomas Spier.