H4cked off: TalkTalk demonstrates that technology-inept CEOs are a potential liability
Taxi for Dido Harding: For a £6.8m annual salary she ought to know more about the nuts and bolts of the business she's supposed to be running
It's the common refrain of the age: the UK is run by too many people with PPEs - Politics, Philosophy and Economics - from Oxford University, while business is run by MBAs who know little of the businesses they're supposed to be running.
TalkTalk's CEO, Baroness Dido Harding, can boast both a PPE and an MBA, and is the daughter of a Lord to boot. And, for her performance as head of one of the UK's largest internet service providers since 2010, she earned the not inconsiderable sum of £6,842,000 in 2014
Harding's defence of the company since it admitted the latest cyber-attack has been toe-curling - one would've expected better of someone who climbed the corporate greasy pole via marketing. First, when the press heard that the company's website and email had gone down on Wednesday afternoon, the company denied that anything was wrong.
When it did admit that something was very wrong, it did so late on Thursday, releasing the news at 10pm, just as Friday's newspapers were going to press. Cynical commentators suggested an attempt at news management.
"TalkTalk began to experience latency issues on its website on Wednesday. We took the website down as soon as it was clear there was unusual activity. We immediately began investigating what was happening, including working with external cyber security experts. Working through the night it became clear that TalkTalk had been the victim of a cyber attack and that customer data had potentially been accessed," claimed a TalkTalk spokesperson in response to a series of questions posed by Computing.
They also denied any attempt at news management: "Obviously what we have been able to say is still incomplete, but we took the decision to go as early as we could once we had enough information to helpfully warn our customers. We did this straight away, with our CEO appearing on four live broadcast and radio shows between 10pm and midnight. We resumed this activity at 6am and have continued updating customers through the media over the course of the day."
When CEO Harding appeared on television, rather than reassuring customers, it only seems to have raised their hackles, especially when the company blamed "cyber jihadis" who, apparently, demanded the peculiar sum of £80,000 in bitcoin as a ransom - what, exactly, they could ransom is unclear, seeing how the damage had already been done.
The company went on to reveal that it had been subject to a "sequential attack", when it presumably meant that it had been subject to a SQL injection attack, which is an easy mistake for an amateur to make.
"This is an attack vector that has been known for more than a decade and it is still found in web applications around the globe. While it is possible for the error that enables such an attack to slip through a well-established application security program, they are fairly easy to prevent with the proper safeguards in place," commented Wim Remes, EMEA manager of strategic services at security services company Rapid7.
Such was the nature of the TalkTalk cyber attack that even the BCS Elite was moved to comment - and it didn't hold back from dishing out the criticism.
"It is difficult to understand why, in the context of previous cyber attacks against the company, TalkTalk has found it necessary to admit that some of their sensitive customer data was not adequately encrypted. TalkTalk was clearly a high-profile target, as are all companies holding data on large numbers of consumers, so the board and IT leadership of the company must have been aware that they were at risk."
It continued: "In modern IT systems it is easy to encrypt the data on the disks, in the database, in transit, and/or in the applications which use the data, some or all of which may be appropriate depending on the systems architecture and purpose for holding the data, meaning that nobody may read the data without the encryption key.
"Furthermore it is equally easy to 'one-way hash' data so that while it may be used for comparison purposes such as checking the validity of a password or security response it may not actually be read by anyone. Quite simply, while the technological sophistication required may be beyond the resources of some small companies, there is no good reason why any large company with extensive IT resources like TalkTalk should not encrypt and protect customers data."
Perhaps worst of all, though, is the fact that TalkTalk and its CEO knew that the company was a target. This is the third time in a year that the company has been successfully attacked and after each attack, the refrain from the company remains the same: "We take our customers' security very seriously", before claiming that it has "put in place additional security measures to prevent further attacks".
That statement, was last made in August - after it was revealed that customer details had been compromised. TalkTalk admitted that sensitive customer data had been stored unencrypted, and then promised that it wouldn't happen again.
It's not entirely clearly what measures - if any - TalkTalk took in February, after the first attack of the year, or in August, after another major breach.
And Harding doesn't exactly inspire confidence as the leader of a predominantly technology-focused business. As the Daily Mail observed, "The hapless Miss Harding, bumbling from studio to studio, was unable to explain how her company had been attacked, how long the attack had gone on for, what had been stolen and whether the computers and networks were now secure."
Today, any company that cannot keep its customers' data genuinely secure is not a company people want, or should be compelled, to do business with. And many customers, understandably, want out - some have demanded the right to terminate their contracts with TalkTalk so that they can get their broadband from a company with a better track record on security, ie: anyone else.
The bottom line is, though, that all modern businesses of any size are substantially technology businesses, and any CEO that lacks, at the least, a broad understanding of the technology issues involved in running their business is a potential liability.