How to avoid a TalkTalk style attack

If you've got more than a passing interest in current affairs then you can't fail to have noticed the fallout from the TalkTalk data hack: it left a lot of worried customers and shareholders in its wake, and getting information about exactly what had gone wrong — and exactly which sets of data had been exposed — is still proving difficult.

It's no exaggeration to say attacks and cybersecurity breaches like this can cripple a company, as the Sony hacks (and subsequent blackmail) proved.

If you're the CIO/IT Director at a firm, then it's your job to stop these breaches from happening — but unfortunately IT security is not a binary on/off setting: it's actually an ongoing trade-off, and one that potentially puts you at odds with your customers. We all hate having to take our shoes off to go through airport security — are your customers prepared to put up with extra inconvenience in order to benefit from the extra protection it affords?

Almost 14 years ago Microsoft launched it's Trustworthy Computing initiative, and there's still a lot that we can learn from the principles laid down by Bill Gates all that time ago. Software should be "as available, reliable and secure as standard services such as electricity, water services and telephony." And the teams that build those systems need to think about security all the time.

From what we know so far, the hack that affected TalkTalk was an SQL injection attack. You don't need to know the finer details of this kind of security issue, but it is fairly easy to protect against. It's another reminder that security isn't something that you fix once and then forget about: security is rather a thousand little vulnerabilities that programmers (and their bosses) need to be constantly vigilant against. You only need to let your guard down for a moment and the company you work for can be in serious trouble.

But aside from being constantly vigilant, we must also keep up with the criminals and use the latest encryption technology to stay ahead. Once upon a time a credit card number seemed safe enough, but new measures had to be added in case the number was exposed. Now we're seeing even more secure methods, like Apple Pay, introduced — methods based around tokens through which the bank details themselves aren't shared and a fingerprint is used as a method of identification. Finding the right methods and technologies is only half the solution, however, because you then have to convince everyone to switch over.

What does seem certain is that passwords are hopelessly out of date and are going to need to be replaced sooner rather than later, as we move towards a more modern and secure way to guard all the data we're keeping in digital form — from credit card details to medical information.

Many of our customers don't even realise that we're always thinking about the security of the systems we build for them, but we are. To do anything less would be unprofessional and reckless. Of course whenever you want expert advice on software security that works, we're happy to help.

← Previous post Next post →