Lessons to be learned from the TalkTalk Cyber Attack

Could your business fall victim to a cyber attack?

If you are one of TalkTalk’s four million customers, chances are you will be changing your password on the My Account section of their website and watching the news like a hawk, and who can blame you? Hacking is a terrifying ordeal, and the cyberattack that took place on Wednesday October 21 is the third time TalkTalk have been the victims of cybercrime, making the latest ordeal all the more worrying.

The company’s CEO Dido Harding has been a bemused and flustered presence since the hack, and has admitted that she “doesn’t know” whether their data was encrypted, which has left web and cybercrime experts face-palming themselves, and customers angry and upset that their details may have been more susceptible than they needed to be.

It’s easy to point fingers at the corporation, but the simple fact is cybercrime is big business, and advancements in technology has afforded these criminals the tools and methods required to bombard a company’s servers until they crash (to name just one method they use) and gain access to the contact details and bank accounts of millions of hard-working people.

After speaking to the customer services this morning they do appear unsure of what is happening. The rep I spoke to said the website that has been taken down should be back up in 24hours but they cannot confirm this.

It appears from national media sources that the cyber attack could be the results of a 15yr old boy in Northern Ireland.  Quite remarkable that a single schoolboy can cause this much widespread panic and potential loss of millions to a telecoms giant. Share prices plummeted on Monday in light of this incident.

If this really does turn out to be the fault of one young individual, what would the impact have been if this was a wider group of hackers and why was the data not fully secure in the first place?  With 4million+ customers said to be potentially impacted this is without a doubt a serious issue.  TalkTalk has over the weekend stated that full credit card details may not have been accessible and only partial details may have been taken although many customers are likely to still be feeling uncomfortable with this situation.

There are lessons to be learned on both sides – the business and the customer – so let’s take a look at them now and see how these can be applied to a SME business website.

Encrypt your data wherever possible

The biggest faux pas made by TalkTalk in the wake of the hacking is the news that 4 million customers’ data was not protected with encryption, which is a method of scrambling data so that only the people with the correct key and/or password can understand it. Encryption should be used by any business – large or small – to safeguard sensitive data, and the fact that such a huge corporation wasn’t protecting its customers this way is as worrying as it is shockingly bad practice.

Make your passwords more secure

Whether you’re a large corporation, small business or a customer, you need strong passwords for all of your accounts, and your dog’s name just won’t cut it. The TalkTalk attack has brought to light the simple truth that many of us have one password for all of our accounts: Email, banking, social media and more. Not only is this incredibly lazy, it’s also dangerous.

If hackers get a hold of your password, gain access to every online account you have. This means they can impersonate you online, potentially borrow money in your name, purchase and make bookings, and access your internet banking. Take the time to create unique passwords for all of your accounts. “I can’t remember them all” isn’t a good enough excuse to make yourself more susceptible to cybercrime.

Be vigilant with your telephone and email account

In the wake of the TalkTalk hacking, many customers have come forward with stories of attempted fraud and scammers contacting customers impersonating TalkTalk employees. It’s a sad sign of the times that such a horrendous act would attract more scammers to the scene, but you can protect yourself by being more vigilant with your email account, and your telephone calls.

If something sounds too good to be true, it probably is. Don’t click on links within emails sent from accounts you don’t recognise and don’t give any important information to anybody who calls or emails you and starts probing for your account details.

Website Security

You can take precautions with your website security and a few simple steps can help prevent downtime and lost data.  If you are using WordPress or other similar CMS and publishing platforms, consider keeping them up to date on the latest version. Update plugins and add-ons, especially those that come with security warnings.

Set user levels for those that have access to the site. If a wrong password is inserted make sure message is something like ‘wrong username or password’ is what appears and you don’t just give the hacker a heads up by only asking for wrong password.

Where possible prevent users from being able to upload files to a website.  Files uploaded to sites could contain scripts and viruses that make a whole site vulnerable.  If allowing uploads ‘like a job site’ make sure you have security precautions and firewall in place.

It has been said in Google circles that the search giant are likely to give extra search visibility to sites that use an SSL security certificate.  It is worth doing if you regularly capture personal information and certainly if you are offering any kind of e-commerce.

If on WordPress use a security plugin like Wordfence that can help prevent cyber attacks and other online security threats.  You can run automated site scans, detect and remove problematic files, IP and country blocking, detect and block brute force attacks and more.

Use Google tools like Google analytics and Google search console to check traffic to your website.  Google may pick up any malicious files and you can keep an eye on any unusual spikes in traffic.

If you are worried that you might be at risk, you can report any unusual activity on your accounts to your bank and the UK’s national fraud and internet crime reporting centre Action Fraud on 0300 123 2040 or visit www.actionfraud.police.uk

Like this article?


Table of Contents