TalkTalk CEO admits firm did not take security seriously enough

Dido Harding said firm underestimated what was required

TalkTalk CEO Dido Harding has claimed that the firm thought it had taken security seriously prior to the crippling data breach last year, but admitted that the company had underestimated what was needed.

The hack exposed the personal details of 156,656 TalkTalk customers, cost the firm £60m and led to the loss of 95,000 customers.

PwC has since conducted an internal analysis of TalkTalk's cyber security capabilities, which Harding said makes for "sobering" reading.

"We thought we had taken security seriously. We were underestimating the challenge," she told the Financial Times.

But Harding has no regrets with the way the breach was handled, claiming that the company was "open and honest from day one".

"Being honest pays dividends. My fellow CEOs are in danger of concluding the opposite. Don't take it into the dark," she said.

Harding wants the government to compel all companies to report data breaches, as only telecoms groups do so at present.

Dan Hedley, an associate on the technology team at law firm Thomas Eggar, explained that mandatory reporting is already on its way to the UK.

"[It's] already coming, and has been for some time: it's in the European General Data Protection Regulation [GDPR], which is expected to come into force in 2018, and it's also in the forthcoming Network and Information Security Directive, which won't apply to everyone. But the GDPR will," he said.

Harding told a parliamentary committee in December that she was accountable for security at the time of the breach, and that the attack raised "existential" questions about how the firm operated. She claimed that it will become "one of the most positive things for TalkTalk" in the long term.

The PwC investigation found that TalkTalk had acted like a startup rather than an established organisation, and need to "mature in the way it operates".

Harding added that companies generally do not ask the right questions when it comes to cyber security.

"The danger is that we are asking the wrong question: are we safe? It's a lazy question because the only really safe way is not being online. We tend to see security as a technology issue not a business one," she said.

The Computing Enterprise Security and Risk Management Summit 2016 is on 24 November in London, and is free for end users.