Your forum username:
Do you already have an account?
Forgot your password?
  • Log in or Sign up


    Welcome to Sky User - The Unofficial Support Forum for everything Sky! - Proudly helping over 65k members.


    Advertisement

    Results 1 to 3 of 3

    Inquiry Threatens to Fine ISPs and Companies for Internet Security Fails

    This is a discussion on Inquiry Threatens to Fine ISPs and Companies for Internet Security Fails within the General Computing and Internet forums, part of the Community channel category; Inquiry Threatens to Fine ISPs and Companies for Internet Security Fails - ISPreview UK A cross-party Culture, Media and Sport ...

    1. #1
      Scubbie's Avatar
      Scubbie is offline Sky User Moderator
      Exchange: 02392
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Q Hub ER110
      Sky TV: Sky+HD box
      Join Date
      Mar 2010
      Location
      Near Portsmouth
      Posts
      28,202
      Thanks
      844
      Thanked 2,223 Times in 2,092 Posts

      Inquiry Threatens to Fine ISPs and Companies for Internet Security Fails

      Inquiry Threatens to Fine ISPs and Companies for Internet Security Fails - ISPreview UK
      A cross-party Culture, Media and Sport Committee has published the outcome from an inquiry into Internet (cyber) security, which was setup following last year’s TalkTalk hack. The report recommends a series of changes, including jail terms for “data abusers” and fines for those who “fail to report, prepare for or learn from data breaches“.

      The attack against TalkTalk’s web server and customer database, which appeared to combine a Distributed Denial of Service (DDoS) assault and later an SQL Injection exploit, exposed the personal details of some 156,959 customers to abuse and could end up costing the ISP around £80m; not forgetting the many subscribers who have since switched provider.

      Sadly the Information Commissioner’s Office (ICO) has yet to produce a final verdict on the TalkTalk cyber-attack and today’s report suggests that their 30 staff might not be enough to handle the 200,000 or so public concerns received per year, although the incident did at least help MPs to recognise that cyber security is something that needed to be given greater consideration.

      As such today’s report starts by praising TalkTalk’s “prompt” admission of the attack and “strong crisis management,” which it largely attributes to the leadership of CEO Dido Harding. However it also notes that not enough detail has been provided and then proceeds on to examine the wider issues.

      Jesse Norman MP, Chair of the Committee, said:

      “Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.

      As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.

      They should now publish as much of the PWC investigation as commercially possible without delay, and set out exactly how they will implement any necessary changes. Everyone must take the lessons from the Talk Talk breaches as a wake-up call – both in how they prepare to prevent cyber-attacks, and in how they deal with their consumers when those attacks occur.”
      The report claims that 90% of large organisations have reportedly experienced a security breach and 25% of companies experience a cyber-breach at least once a month. The public sector was also found to suffer from similar problems, with the health and local government sectors being hit by the most data breaches of all.

      However, not all threats to cyber security or data protection are from external actors, with over 40% being caused by employees, contractors and third party suppliers (half of these are said to be accidental). In keeping with this the inquiry has made a series of recommendations.

      Company responsibility and consumer rights

      • Companies must report their cyber security and data protection strategies to the ICO.
      • They should also include these in their annual reports, in the same way as the requirement for environmental and social reporting where material: quadruple bottom line reporting.
      • It is appropriate for the CEO to lead a crisis response, should a major attack arise, but cyber security should sit with someone able to take full day-to-day responsibility who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack.
      • To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security.


      General recommendations

      • Companies must make it much easier to verify if communications, whether online or by telephone, are genuine. The ICO’s system of sanctions should include fines for companies that fail to do this.
      • It should be easier for victims of a data breach to claim compensation.
      • It is not enough for companies to say they weren’t aware. Breaches are common, and all companies need to plan and test for that eventuality.
      • Further, they need to demonstrate they have identified and addressed the weaknesses that have led to any data breaches.
      • The vulnerability of the massive new data pools that will be created by the Investigatory Powers Bill needs to be urgently addressed by Government.
      • Good cyber practice will need to evolve and develop: this is essential to maintain consumer confidence and Britain’s place as the top internet economy in the G20.
      • There needs to be a step change in consumer awareness of on-line and telephone scams, and the Government should initiate a public awareness-raising campaign, on a par with its campaign to promote smoke alarm testing.
      • We support the ICO’s call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data.


      The inquiry should form a useful foundation for future changes, although it’s perhaps worth considering the other side of the story. Firstly, nothing is ever 100% secure and no organisation, business or individual can ever truly claim to be completely safe; enterprising hackers will always find a way around even the best security, assuming there’s even a clear definition of “best“.

      Similarly not all businesses or organisations, especially smaller ones, will have the money or skills necessary to guarantee (if possible) that they have the best security. Meanwhile that lack of knowledge may lead some to assume that they are safe when in fact the opposite may be true. Education and assistance would perhaps be a more productive than simply imposing a fine, which penalises an entity that has already suffered damage through a criminal attack.

      The threat of a fine may also have the undesired impact of encouraging those who have suffered from a cyber-attack to not report it, which is especially relevant since some criminals will blackmail their target with requests for money in order to stop an attack against the targeted entity/group. As a result some may end up finding it cheaper to pay the criminal rather than risk a fine from being honest by reporting the later breach.

      On top of all that there’s a wrongful assumption above that the target will know they’ve been hacked, when in reality this only happens if the attacker needs to be aggressive in order to break into a system and that can leave a noticeable trail of damage. However other hacks, especially those that aim to steal personal data, may happen without the target even being aware and only those organisations that have full visibility / control of their network might spot the activity and even then it’s not always obvious.
      Comment: Is this the right kind of response and do you think that it will help to protect us from the hackers and ensure that such attempts are reported promptly? Remember that whilst TalkTalk has been hacked a few times and admitted it promptly, others took a couple of years to admit their systems had been hacked. It makes you wonder if any haven't admitted to being hacked at all.


    2. Advertisement
    3. #2
      BurnIT's Avatar
      BurnIT is offline Sky User Member
      Exchange: 01827
      Broadband ISP: Sky Broadband Unlimited
      Router: Sagem F@ST 2504n
      Sky TV: Sky+HD box
      Join Date
      Mar 2012
      Location
      Polesworth
      Posts
      242
      Thanks
      5
      Thanked 3 Times in 3 Posts

      Re: Inquiry Threatens to Fine ISPs and Companies for Internet Security Fails

      Did Talk Talk only admit it promptly because the fact was already known and going to hit the media anyway??

    4. #3
      Scubbie's Avatar
      Scubbie is offline Sky User Moderator
      Exchange: 02392
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Q Hub ER110
      Sky TV: Sky+HD box
      Join Date
      Mar 2010
      Location
      Near Portsmouth
      Posts
      28,202
      Thanks
      844
      Thanked 2,223 Times in 2,092 Posts

      Re: Inquiry Threatens to Fine ISPs and Companies for Internet Security Fails

      Very likely. It didn't help much that they'd already been hacked previously either.

      Sky Fibre Unlimited Pro: Connected at 80,000 kbps / 20,000 kbps
      Previous ADSL2+ Speed 19999 kbps 1153 kbps, Line Attenuation 17.5 db 6.9 db, Noise Margin 7.5 dB 8.7 dB
      Speedtest: 17.15MB/s 0.97Mb/s Ping 31 ms

     

     

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •  
    SkyUser - Copyright © 2006-2020. SatDish and NewsreadeR | SkyUser is in no way affiliated with Sky Broadband / BSkyB
    RIPA NOTICE: NO CONSENT IS GIVEN FOR INTERCEPTION OF PAGE TRANSMISSION