Infosec Europe Baroness Dido Harding, former chief exec of Brit telco TalkTalk, warned other business leaders of the dangers posed by legacy tech in the opening keynote of the Infosecurity Europe conference in London.
Harding stood by TalkTalk's decision to alert its customers to the company's notorious October 2015 breach the same day it was discovered, going against the advice of police trying to track the perps, who were extorting the firm in exchange for the return of stolen data. Harding herself fronted the much-criticised campaign to get the word out.
Criticism centred on TalkTalk's admission that it didn't know whether the leaked data, which included customer bank details, was encrypted, or how many records had been compromised. The firm's advice about phishing was also deemed to be poor. TalkTalk had suffered less serious breaches before and its failure to devise an adequate security response plan was slammed by technically knowledgeable outsiders.
Harding – who described herself as a member of "Cyber Anonymous", a made-up club for business leaders whose firms had suffered a breach – has reinvented herself as a cybersecurity advocate. Her gig at Infosec followed a number of speeches to big biz about incident response.
She delivered a polished performance, though it failed to mention the record £400,000 fine subsequently levied at the firm by the Information Commissioner's Office. El Reg asked Harding whether TalkTalk would have survived had the European General Data Protection Regulation (GDPR) been in place at the time.
She sidestepped the question, saying it was not her place to second-guess the regulators and that she welcomed the tighter rules since introduced under GDPR.
There was the IT equivalent of an old shed in a field that was covered in brambles... All we saw was the brambles and not the open window...
Harding also declined to answer a question from the hall and another submitted online about whether and how the size of TalkTalk's security budget and team changed in response to the breach. The Tory peer admitted TalkTalk "could have done more" to prevent the attack and that the security budget did go up – without going into any detail whatsoever.
She also acknowledged the telco had been hacked as the result of an "extremely simple SQL injection attack", which she blamed on legacy tech.
"There was the IT equivalent of an old shed in a field that was covered in brambles," she said. "All we saw was the brambles and not the open window."
Business leaders should invest in decommissioning old tech because of the cybersecurity risk it poses, she advised. After the attack, TalkTalk became a honey pot for other hackers, delaying the firm's reinstatement of a customer payment portal.
There are trade-offs in what the business might want to do and what's an acceptable security risk in the aftermath of a breach, she told delegates.
Company boards need to take cybersecurity more seriously, Harding concluded, adding that it should be as important as maintenance on oil rigs. Chief execs should get down in the trenches and spend time with the "young stars" of their security teams to learn about risk, she added. ®
During her Infosec speech, Harding didn't apologise for the breach, which in fairness she had done repeatedly in TV interviews immediately after the incident. But she didn't say TalkTalk takes the security of its customers seriously either – disappointing holders of security breach bingo cards in the process.