What does TalkTalk's lack of Cyber Essentials accreditation mean?
TalkTalk's attempts to get accreditation for a basic set of cyber security requirements is too little, too late
Let's get this straight: having a Cyber Essentials accreditation would not mean any business - especially a large one such as TalkTalk - would remain invulnerable to cyber-attacks. But it should ensure most of the basics are covered.
Cyber Essentials is a government-backed scheme that comes in two parts. The first is a self-assessment checklist, while the second, dubbed Cyber Essentials PLUS, is a thorough analysis of security policies and tools which is undertaken by a third party.
It is the bare bones of cyber-security - the minimum basic set of standards that any organisation should achieve (although some disagree that it is quite as useful for small and medium businesses).
What is surprising, however, is that TalkTalk is getting accreditated for Cyber Essentials only now.
It had been suggested to the House of Commons culture, media and sport select committee that if TalkTalk had adopted Cyber Essentials earlier, then the cyber attack - thought to be a simple combination of a DDoS and SQL injection attacks- would not have succeeded.
Giving evidence to the committee, TalkTalk CEO Dido Harding responded to those suggestions by stating that she was "not going to sit here and say we were perfect".
"We had a very exhaustive cyber-security plan that had been stress tested not just internally but with world-leading external consultants and security services. With benefit of hindsight would I have done more? Yes I would have," she said.
She went on to state that as she understands it, TalkTalk is fully compliant with Cyber Essentials, and is in the process of getting accredited.
When a member of the committee suggested it was a bit late, Harding responded by claiming that the firm had been focused on a very detailed and in-depth "10 steps to cyber security" plan and said that in fact she doesn't believe TalkTalk has missed out on the Cyber Essentials at all.
"It's quite the opposite; I'm being honest and human and saying I wish I'd done more. I don't know if doing more [in regards to Cyber Essentials] would have prevented this attack by the way," she added.
That may well be true, but when exactly was TalkTalk compliant? Before the attack, just after the attack, or only now? This wasn't clear from Harding's comments. Computing has asked TalkTalk to clarify exactly what she meant and will update this article accordingly.
But either way, it shows a reactive approach to cyber-security - which firms are being constantly being reminded is not enough to thwart attacks. Indeed, John Beale, executive member of CREST, one of the organisations that developed the assessment framework for the Cyber Essentials scheme, explained that while it is possible to meet the requirements without certified, gaps may be left unless rigorous assessment takes place.
Beale was surprised that TalkTalk had not already been accredited.
"You would expect companies such as TalkTalk to be adopting Cyber Essentials PLUS as well as further levels of security and technical assessment over and above Cyber Essentials," he told Computing.
The fact that TalkTalk is apparently only getting accredited now, after it was hacked, coupled with the fact that the scheme was launched 18 months ago, indicates a lackadaisical and reactive approach to cyber-security.
The good thing for TalkTalk customers is that the firm is finally taking measures to beef up its security. Professional services firm PwC is completing an assessment of the company's security and processes, while Harding said TalkTalk was also looking to refresh much of its IT.
Whether or not it has learnt from this experience will become clearer in the next few years. Harding stopped short of promising that the firm will be able to thwart all future attacks.
"I'm not going to sit here and say we are 100 per cent safe and never to be hacked again," she said.