This week, we discuss a record ICO fine for TalkTalk, new encryption for Facebook, and state surveillance of all Yahoo Mail
Hello and welcome to the IT Governance podcast for Friday, 7th October. Here are this week’s stories.
TalkTalk has been fined a record £400,000 by the Information Commissioner’s Office for security failings that led to last October’s cyber attack, in which 156,959 customers’ personal data was accessed.
The Information Commissioner, Elizabeth Denham, said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
She continued: “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Under the Data Protection Act, organisations can be fined a maximum £500,000 by the ICO. When the new EU General Data Protection Regulation is enforced from May 2018, however, that maximum penalty increases to €20 million, or 4% of global annual turnover – whichever is the higher.
According to its 2015 annual report, TalkTalk’s revenue last year was £1.795 billion, 4% of which is… £71.8 million. Given that, earlier this year, TalkTalk estimated the incident to have cost it more than £60 million and about 100,000 customers, the company should be counting its blessings that the GDPR is still a couple of years away. And in case you think Brexit exempts UK companies from compliance, take note of the Information Commissioner’s words last week: “It is extremely likely that [the] GDPR will be live before the UK leaves the European Union.”
According to Wired, Facebook has introduced end-to-end encryption on its Messenger app, meaning all 900 million users can now use ‘Secret Conversations’ to ensure no one else can read their messages – “not even Facebook or law enforcement or intelligence agencies.” When you update the Messenger app, you’ll find the ‘secret’ option on the top-right of the ‘new message’ screen. This is an opt-in feature – don’t forget to change your settings. Users can also set an expiration time for messages, a feature popularised by Snapchat.
Talking of securing your communications… Soon after it was revealed that “information associated with at least 500 million” Yahoo users’ accounts was stolen by “state-sponsored” hackers in 2014, comes more bad news for the troubled tech giant.
Reuters reported this week that Yahoo “secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials”. You heard that right: all of its customers. The newswire continued: “According to two […] former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook”. In a brief statement, Yahoo commented: “Yahoo is a law abiding company, and complies with the laws of the United States.”
According to the BBC, Google, Microsoft, Facebook and Twitter all said they’d never been asked to carry out such scans. “We’ve never received such a request,” a Google spokesperson said, “but if we did, our response would be simple: ‘no way’.”
It’s US National Cyber Security Awareness Month. Next week’s topic is “From the Break Room to the boardroom: Creating a Culture of Cybersecurity in the Workplace.” Alongside processes and technology, people are an essential component of a robust cyber security strategy. Creating a culture of cyber security in your organisation ensures your staff are aware of the cyber threats targeting your company and know how to behave in case of attack. You can learn how you can influence your staff’s behaviour with IT Governance’s bestsellers Build a Security Culture and The Psychology of Information Security.
And don’t forget to check out our book of the month, Insider Threat: A Guide to Understanding, Detecting, and Defending Against the Enemy from Within by Dr Julie Mehan. Every type of organisation is vulnerable to insider abuse, errors or malicious attacks. This book shows how a security culture based on international best practice can help mitigate them.
Head over to our webshop to find out more.
Well, that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog.
Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.