TalkTalk 'underestimated' cyber security challenge, says CEO Dido Harding

But Harding says she has no regrets about the way the company dealt with the hack

TalkTalk CEO Dido Harding has admitted that the company underestimated the challenge of ensuring its cyber security was up-to-scratch, in light of the catastrophic data breach it suffered last year.

The hack, in which 156,656 TalkTalk customers had their personal details accessed, cost the firm £60m, and led to 95,000 customers abandoning the company.

PwC has since conducted an internal analysis of the company's cyber security capabilities, and Harding has said that the subsequent report makes "sobering" reading.

"We thought we had taken security seriously. We were underestimating the challenge," Harding told the Financial Times.

But Harding has no regrets with the way the firm dealt with the hack - claiming that the company was "open and honest from day one".

"Being honest pays dividends. My fellow CEOs are in danger of concluding the opposite. Don't take it into the dark," she said.

She wants the government to make it mandatory for all companies to report data breaches - as only telecoms groups do so at present.

But as Dan Hedley, an associate on the technology team at law firm Thomas Eggar states, mandatory reporting is already on its way to the UK.

"[It's] already coming, and has been for some time: it's in the European General Data Protection Regulation (GDPR), which is expected to come into force in 2018, and it's also in the forthcoming Network and Information Security Directive, which won't apply to everyone - but the GDPR will," he said.

Harding, who told a parliament committee in December that she was accountable for security at the time of the hack, said the attack raised "existential" questions about how the firm operated, but claimed that in the long-term it would become "one of the most positive things for TalkTalk".

She said that the PwC investigation found that TalkTalk was acting like a start-up rather than an established organisation, and that the firm now needed to "mature in the way it operates".

Harding added that generally companies were not asking the right questions when it came to cyber security.

"The danger is we are asking the wrong question: are we safe? It's a lazy question because the only really safe way is not being online. We tend to see security as a technology issue not a business one," she said.

Computing's Enterprise Security and Risk Management Summit 2016 is on 24 November in London. It's free for end users to attend. For more information click here.