I feel rather sorry for Talk Talk CEO Dido Harding who doesn't seem to have been particularly well briefed about the cyber breach her company suffered last week.
For a start, in a well-meaning attempt to help her customers avoid "phishing" scams, she reassured viewers of the BBC Breakfast programme on Friday morning that "We will never ask you to click through from an email onto a site that asks you for your password details". Unfortunately this is exactly what Talk Talk does (or at least did) on a regular basis.
Later she claimed that Talk Talk was the victim of a "sequential" attack. Presumably she meant "SQL injection" attack. Sounds technical but this isn't a difficult concept to get your head round and is very much the sort of thing CEO's need to be aware of. Their role here is to ask "Are we safe from..." rather than exploring the exact nature of any defences. (If you need an explanation of SQL injection attacks then I have given one at the end of this piece.)
More and more businesses are doing more and more online and collecting (and sometimes even using) more and more information about their customers. With the internet increasing in importance, a basic understanding of cyber security should be a requirement for any manager.
This is because cyber security can no longer be (if it ever has been) the responsibility of the IT department on its own. Everyone employed by an organisation should be aware of how their behaviour can contribute to digital security. Indeed the culture of an organisation needs to support cyber security by making unsafe behaviour as unacceptable as heating up fish soup in the work microwave!
It is particularly important for the most senior people in organisations to lead by example here: their behaviour and perceptions will inevitably be echoed by others. For instance if a Director shows themselves ignorant of cyber security, behaves in a risk manner, or fails to protect key assets such as customer data, it is inevitable that others will copy them.
In addition senior managers need to be able to quiz IT, marketing, operations and HR executives about the specific steps they have taken to reduce cyber risk and preserve the integrity of information and other assets. Because if they don't ask the awkward questions, who will?
Finally, if you are interested, in an SQL injection attack someone types computer code into a form on a website, rather than the information the form is asking for. The code is designed to make a database that is connected to the website do something that it is not supposed to do such as send all its data to an outside email address.
|Tweet||Did you like this blog? Let us know in the comments or share on Twitter|