Cyber security experts have a responsibility to explain their field to generalists and not make it “so scary or so secretive that people are afraid of their own shadow”, the former CEO of TalkTalk, Dido Harding, has warned.
Delivering the keynote speech on the first day of Infosecurity Europe 2018, Harding said there is a “real danger” that cyber security is seen “as a sort of cloak and dagger, scary, negative thing” if experts fail to explain it.
Harding was the CEO of TalkTalk when, in 2015, it suffered one of the worst cyber attacks in British history. Hackers compromised 157,000 of its customer accounts, and the ISP was handed the biggest fine the Information Commissioner’s Office had ever issued. It stood accused of failing to implement “the most basic cyber security measures”.
TalkTalk’s profits fell by more than half in the year after the attack and it lost 101,000 customers in a single quarter. But Harding, who is now the chair of NHS Improvement, said today that three months after details of the strike emerged, the company’s brand was more trusted than it had been beforehand.
Internal polling of customers’ willingness to recommend the brand dipped within the first couple of weeks, but Harding claimed it then quickly rose. “Churn was lower than it had been before the attack,” she added. “Ultimately, that’s because they wouldn’t really have trusted us beforehand; they weren’t sure if the attack was our fault, but they couldn’t get away from the fact that we’d tried to help them.”
The Metropolitan Police had urged Harding not to announce the breach immediately, as officers wanted more time to track down the hackers. But she said she took the decision to ignore the Met’s pleas and warn customers of the risks of the breach.
“It’s extremely easy to scam a vulnerable customer if you ring them up with their bank account details,” she said. “The best way we could protect our customers was by warning them.”
In her concluding remarks, Harding urged tech workers to recognise their role in “building the scaffolding for the digital world – the moral, social and the legal scaffolding to make a civilised digital space”. She added: “Help us all treat it in exactly the same way in which we treat other risks – one to be acknowledged and managed and mitigated.”