Monday, 26 October 2015

Why the TalkTalk hack is a crisis of leadership and culture, not technology...

TalkTalk getting talked about

TalkTalk website 26 Oct
Thursday night's news (22 October) featured an interview with Dido Harding, CEO of TalkTalk, the British telecoms group which, according to Wikipedia "is a company which provides pay television, telecommunications, internet access, and mobile network services to businesses and consumers in the United Kingdom".

The big news, for those who hadn't heard, was the sustained DDoS attack the site received on Wednesday and where personal data belonging to some (or all) of the 4 million TalkTalk customers was stolen by what were referred to as 'Russian Jihadists' (and later turned out to be a 15-year-old boy in Norther Ireland).

Ms Harding (or Lady Harding as perhaps she should be known, after being made a life-peer in 2014) did a good PR job of going around the media and saying 'mea culpa' and 'we made a mistake' and opening herself up to the public drubbing and the fall in TalkTalk's shareprice of 20% in the past 5 days.

The method of entry the hackers used was, apparently, 'SQL injection', which cyber-security experts suggest is a known access point and is easy to protect.

The PR piece

On her appearance on the BBC News she also that she didn't know if the data was unencrypted.  Even though it was later suggested that it was encrypted, it took her until 3 minutes and 20 seconds into the announcement before she gave the message that customers should check their bank accounts for unusual activity and other simple precautions they should take, suggesting customers' concerns were not the highest of her priorities.
I am a TalkTalk customer and yet, despite the impressive ability the company has to update me regularly about new channels I can subscribe to or when I've rented a new film online, they didn't get around to contacting me personally about the issue until gone 3pm on Friday... almost two days since the attack apparently happened.  Perhaps while Dido was talking to the media, someone could have drafted an email and a text?  The text wouldn't have taken long... they didn't have a message on the website for a couple of days either.

The Reality

Modern companies will be hacked. This is a fact of life. Just as employers should learn to trust their employees and embrace the possibilities of social technologies, so they should also trust the fact that hackers (who are, themselves, a social technology - allowing multiple people to work together, virtually - to break into computer systems) are going to try and attack them. It's not as if TalkTalk hadn't been victim of attack before and they should have been better prepared to respond to it.  You don't expect banks to keep your money in a cardboard shoe-box under the counter.  You expect them to take every precaution, including signature and PIN identification measures, extra iD and a big strong vault because you know that there are those with a penchant for sawn-off shotguns and wearing ladies' tights on their heads who are likely to be tempted to attempt to steal the money.

A Leadership Problem

All of this highlights the fact that the problems at TalkTalk are not ones of technology, they are ones of leadership.  Not just Ms Harding's leadership in not appearing not to fill key I.T. roles within the organisation, although the fact that there are personnel changes should not change, in the short-term, the status quo of an I.T. system.

The leadership failing is throughout the organisation, not just with C-level executives.   It seems very difficult to believe, that no one in TalkTalk's I.T. department was aware of the failings of the systems they were maintaining.  It seems more likely that they either chose to not say anything (and in so doing, showing, in my opinion, a lack of leadership and personal responsibility) or were too scared to.

Everyone can show leadership by influencing everyone else in the team to perform to the best of their abilities for the benefit of the team.  Everyone needs to take personal responsibility for their actions and the actions they can influence.  And everyone should be thinking about the ethical aspect of what they do - are they doing the right thing?

Embracing Social Technologies

“Computer Fraud,financial Fraud, Concept Background”
by hyena reality via FreeDigitalPhotos.net
TalkTalk failed, furthermore, to embrace the hacker community outside the organisation, possibly believing that if they didn't engage with it they wouldn't get hacked?  Perhaps they could have taken a leaf out of Facebook's 'White Hat' programme which invites hackers to identify bugs and vulnerabilities in Facebook's system and, if they had not been previously identified, earn a minimum of $500 (with no maximum - the bounty offered is based on the severity of the vulnerability) - with over $1.3million paid out by February this year and one hacker receiving $30k for identifying a serious hole in Facebook's security.


This kind of crowdsourcing is not new (Facebook started in 2011, Google a year before that - and crowdsourcing itself goes back over ten years before that).  

TalkTalk have failed.  The technology flaws were unacceptable, but it is the management who are struggling: having failed to think beyond the basics, failed to inspire their teams to do the right thing, and failed to prevent both customers and investors losing faith in them.