TalkTalk, a UK based telecommunications provider has at once publicly disclosed that the firm saw a 56% decline in last year’s profits and total revenues increased by 2.4% in the 12 months preceding March 31, 2016. The decline in profits is undoubtedly due to the aftereffects of a cyberattack in which the names, phone numbers, and email addresses of a reported 157,000 customers were lost. In addition, during the same incident 21,000 bank account numbers were accessed. As a (justifiable) knee-jerk reaction, more than 100,000 subscribers flew the coop, switching service to providers like Sky, BT, and Virgin Media. Yet in its Q4 leading up to March 31st, the company experienced its lowest ever “churn,” meaning that customer turnover was nominal and retention relatively stable, the company’s chief executive said in a statement.
On the stock market front, despite a bit of a bounce back, analysts are recommending investors sell off TalkTalk shares ASAP.
This amalgamation of information is confusing. For comparison’s sake, though, Target’s profits dropped 46% immediately following its breach, yet Home Depot posted a 5.4% increase in sales the year following its breach compared to the year prior. Both companies’ total revenues are higher today than they were pre-breach.
This is not new news, and this post isn’t about how companies can survive a breach if it’s handled correctly in the media. History already proves that’s the case.
If you goin’ in put your hands in the air
Home Depot and Target threw themselves into their respective breaches, not only publicly disclosing information to customers and the press, but also upgrading systems and putting a focus on security. TalkTalk hasn’t done that. They offered customers aggressive incentives to stay, but nothing viable has been disclosed as to their plans for improving information security. Back in December 2015, the company claimed all customers would receive a “new bundle of online and telephone security features,” but the “enhancements” were aimed at deterring scammers and cold calls by providing caller ID, anonymous caller reject, voicemail, and call blocking. Another offer for a free subscription to HomeSafe also appeared at a point. According to the company’s website, HomeSafe helps customers block potentially malicious websites, provides anti-virus protection, and serves up virus alerts. First off, in this day and age, these “features” should be part of all telecom providers’ packages regardless of breach status. Second, technology researchers quickly voiced concerns about the relative ease with which an adversary could bypass the flimsy controls. In addition, the types of controls used or how the company planned to block new sites versus malicious sites known to TalkTalk hasn’t been made clear. When challenged about the efficacy of HomeSafe, a TalkTalk spokesman responded: "If there are two guys in Ukraine constantly setting up [malicious] sites, we can't guarantee that they won't succeed [in bypassing HomeSafe]."
In effect, TalkTalk put a Band-Aid over a bullet hole. Data that was stolen was stolen in clear text. Where’s the promise of encryption? Where’s the content filtering? Blocking “some potentially malicious websites” is not the same thing. And we all know AV is only effective against the most obvious spam. The company hasn’t made an honest attempt at improving security and is hoping other companies’ efforts will allow them to ride the tide back to normalcy (or even growth). What actually ensues is yet to be seen, but “holding steady” isn’t a clear path to profits.
Got money on my mind, I can never get enough
With time, consumers become bit-by-bit more educated about data security, privacy, and encryption. They expect the companies with which they do business to make an honest effort and invest in security. It’s no longer a nice-to-have, and companies that don’t take security seriously will likely be left behind while the Home Depots and Targets of the world thrive. Companies that go above and beyond will be the future winners. Darrin Reynolds, CEO and Founder of Reynolds Privacy, says the key to business success is robust security architecture and transparency. He shared an anecdote about a recent call with a company with “a truly enviable security posture.” The difference between that company and TalkTalk is that the former, “actually cares to do the things most others just wish they could implement... and they do it well. They do this because they recognize how much the success of their business is tied to the success of their security architecture,” he said. Reynolds continued in saying that mandates for “mature processes and admirable programs” must come from the top. From the board on down, companies need to believe that “businesses that can't tie the medal of success to their security program will increasingly wear the millstone of security's failure.”
It will be interesting to see how TalkTalk responds in the coming months, but (after many years of banging the drum) it’s becoming clear that information security is an essential element of business success, regardless of industry, company size, or geography. The general publics’ requirements for security and privacy are transforming rapidly, and consumers are already beginning to vote with their wallets. Companies that fail to respond to these demands will disappear, leaving the more security-minded organizations greater opportunities for success.