When will we learn?

So the IoD have called for more government action in the shadow of the TalkTalk hacks.

Let’s look at this quickly. IT security is a necessary evil nowadays, not matter how big or small you are you WILL be attacked. As an example while setting up an Asterisk system for our Canada office it was very briefly open to the world. It took less than 5 minutes for it to be attacked (unsuccessfully) however let’s put that into perspective…

There are at last guess, 3,706,452,992 public facing IP addresses out there. Yet in 5 minutes a number of people noted and attacked just one. If you take the assumption that seems to be the norm with many directors that there are a small group of hackers in their bedrooms then the odds of hitting our server are similar to hitting the lottery. This points to a more likely and well known scenario in the security community, that this is a major form of organised crime.

Now with such a vast address space it suddenly makes no sense from an economic point to concentrate all your resources on one single host. In fact it’s easier to scan and pick on the low hanging fruit. The misconfigured, poorly maintained badly written sites and those relying on security through obscurity. And here we come to the crux of it.

As a director you are responsible for your business. You make sure your premises are secure, you make sure all your staff are safe and you protect your business. And yet for many businesses, especially larger ones, IT is simply something you must have and the trick is to spend as little money on it as possible. Your IT provider is responsible for your security online and making sure your internet presence is as safe as your real work presence. When this department is typically starved of resources, contracted to the lowest bidder with no check of their credentials, or outsourced, things can and do go wrong.  You wouldn’t go to B&Q and put £5 locks on all your doors, but for most the ISP’s supplied free router, and a £5 a month hosting package are ‘good enough’.

And Talk Talk? It’s looking like it was an SQL Injection attack, the kind that every IT professional knows about, knows the risks and knows to NEVER allow out into the wild. If this was the cause of the leak TalkTalk should be sued into oblivion and its directors jailed. It’s inconceivable that a company so big dealing with so much data should fall prey to such a basic flaw.

So no, IoD, we don’t need more government help. We need you to give your members a BIG wake up call. IT has been starved and treated as something you have to have but spend as little as possible on for too long, so much that it’s become institutionalised. This needs to change, or more of your members will fall the same way. This is a problem your members have caused and they alone can fix.

If government help is needed its to make this behaviour on behalf of company directors a criminal offence with strong punishments to include custodial sentences and large fines. Stop starving IT of resources from being a viable cost cutting measure.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.