TalkTalk Broadband Scandal – Lack of Compliance?
No not the musical band from the UK. The ‘broad’band provider in the UK
Seriously though, four million customers of this broadband provider are at risk after it was hit with a second major cyber attack within this past year.
But what’s interesting about this story, is that experts referencing it say that many major companies are still turning a blind eye to major attacks. And cyber attacks like this second one that TalkTalk is dealing with, have left millions of customer data at risk. In fact, experts agree that many organizations like this take a blase approach to securing customer data because they are under the impression that data security doesn’t affect them.
Risks like this can’t continue to be swept under the rug, or put off for another day. Any company that flies blind to risk, no matter the industry, is setting themselves up for potential [guaranteed] harm.
Security challenges aren’t going anywhere. They really need to be addressed now. What companies need to do is treat their customer data like an asset [their most valuable asset], and do all they can to protect.
How they are going to protect this asset is not the purpose of this post. Rather, it’s important to highlight that all companies are at ‘risk’ and all companies need to put processes in place to mitigate that ‘risk’. And it’s even more important to look at past instances of malpractice and to not take the approach of pointing fingers asking who did it, but rather asking ‘where did we go wrong and how can we prevent it from happening again’.
Risks come in all shapes and sizes, from healthcare to broadband providers, financial institutions to mining operations. By taking a cue from a company who’s currently working through its own risk issues, now’s the time for all companies to take a better look at their policies and procedures – of course customized towards your industry and risks.
Why? Because your policies and procedures help your organization by ‘providing employees with a handy reference to daily business operations, common company activities, or routine organizational tasks’, and sets the standard that the organization expects of its employees. In the case of TalkTalk, their policies and procedures should have a section covering customers’ data, what the expectations are of protecting it, and of course, what course of action should be taken if there’s any suspicion of cyber threats.
The purpose for creating internal controls and documenting processes with well-written procedures comes down to a few very basic reasons:
- Operational Needs
- Managing Risks
- Continuous Improvement
I’m betting there were some murmurings inside the company somewhere of someone with knowledge of a cyber attack long before the full extent was completely uncovered. Were there mechanisms in place for people to shed some light on what they had knowledge of before it got out of hand? Do they have an ethics reporting system? Did they feel they could come forward safely to report any inconsistencies? Were past lessons not learned from the previous cyber attack?
If compliance is an issue in your organization, then creating well-defined processes documented by procedures in order to meet your legal and regulatory requirements should be a high priority. If you’re suffering from a second risk within a year, then you need to revamp your your documented procedures to ensure it doesn’t read like a 300 page legal brief that has your employees nodding off after the first paragraph.
Here’s a few tips to get your compliance program squeaky clean.