Commons committee lambasts ICO for lack of TalkTalk report
The Culture, Media and Sport Committee report on cyber-security opened with criticism of the ICO and then moved on to recommendations for escalating the visibility of cyber-security within organisations.
Report critical of ICO slowness
Eight months after the TalkTalk breach, the House of Commons culture, media and sport committee has criticised the Information Commissioner's Office for its failure to produce a report into the incident.
The criticism was made in the committee's report “Cyber Security: Protection of personal data online”.
While accepting that it is a complex task due to the “international dimension to the investigation”, it said it was a matter of “regret that, some eight months after the breach, customers are no closer to a clear understanding of what happened”.
The committee felt that the ICO, with 30 staff, lacks the capacity to deal with more than 1,000 cases a year, and it urged the ICO to review its staffing requirements.
A spokesperson for the ICO told SCMagazineUK.com that the organisation didn't think that the committee's comments amounted to “criticism” of the organisation. We were then referred to its written and oral evidence which we will consider in due course.
The committee also urged TalkTalk to publish the results of a report by PWC, or at least “as much of the PWC investigation as commercially possible without delay”.
The report draws attention to the number of TalkTalk customers who suffered financial losses in the days after the breach by fraudsters purporting to be calling from the company. According to Financial Fraud Action UK, more work needs to be done to raise public awareness on how to identify fraudulent calls and emails to protect people against scammers and “achieve a genuine step change in prevention”.
The committee recommended that the government should create an awareness campaign, “on a par with its campaign to promote smoke alarm testing”, to teach the public how to verify that communications from companies are genuine.
Companies should also make cyber-security a boardroom issue, the committee said. The ultimate responsibility for cyber-security lies with the CEO and part of their salaries should be pegged to this issue, but in addition, large companies should have a named individual responsible for IT security who can be sanctioned if the company has not made sufficient effort to protect itself and its customers.
Penalties for cyber-breaches should be reviewed and the ICO should introduce escalating fines to be levied in cases where organisations are judged to have been negligent. In particular, the committee was not impressed by companies that fall prey to “routine” cyber-attacks such as SQL injection.
A TalkTalk spokesperson told SCMagazineUK.com that it welcomed the committee's report and agreed it was “a serious and growing challenge for all companies”.
"Following last year's cyber-attack, TalkTalk has instigated an extensive, company-wide review of security and put into action many of the learnings from our own experience. We have also been widely and actively sharing these across government and industry,” the spokesperson said.
TalkTalk supports mandatory breach reporting. It has also launched its own awareness programme, “Beat the Scammers”, but supports further government action because “there is much more which could be done to help protect consumers”.
It had no comment on the committee's request that it publish the results of PWC's internal investigation.
Ryan Kalember, SVP of cyber-security strategy at Proofpoint, commented, “While this report contains some excellent recommendations that to the outsider may seem like appropriately strong measures, most of the findings and prescribed measures are underwhelming for those of us in the industry. Cyber-criminals are taking aim at the trust between people and organisations that allows the modern Internet-connected world to function.”
Jonathan Sander, VP of product strategy at Lieberman Software, rejected the notion of escalating fines being levied by the ICO. “Often putting a set price on these risks simply allows organisations to make a calculation about how little they may spend on cyber-defence in order to offset the maximum costs of fines. You see this at work in the regulatory world where an organisation often decides to simply pay fees for being out of compliance rather than spend what they feel would be more to be in line with the statutes,” he said.
James Chappell, CTO and co-founder of Digital Shadows, said, “Data breaches and other security incidents are unfortunately inevitable in most modern businesses and any proposed legislation should recognise this and offer a mix of ‘carrot and stick' – fines alone are not the answer. However, we're encouraged to see some common sense thinking in this initial proposal, in particular around audits and staff training which are to be applauded.”
Talal Rajab, head of cyber and national security at techUK, commented: “The report rightly recommends that CEOs put cyber-security at the top of their agenda and assign full day to day responsibility of cyber-security to a dedicated professional. Under proposals in the upcoming Investigatory Powers Bill, companies may be required to store large pools of data that are vulnerable to attack. To maintain user confidence in digital services, and the growth of the UK's digital economy, companies must have appropriate cyber-security policies and processes in place”.