So TalkTalk took a £400k hit for last years data compromise. The corporate equivalent of a parking ticket. Annoying and ultimately avoidable. That said were this incident to have occurred after GDPR comes into full effect (May 2018) the story would have been very different.
Applying the same parking violation analogy, a post GDPR fine of £70m would be more akin to having a brand new super car not only ticketed, but towed away and crushed!
Personally when I pick up a parking ticket, which touch-wood is fairly infrequently these days, I always look at it from a lost opportunity perspective. What could have I done with the £50 I am donating to the council coffers?
Applying the same logic to TalkTalk's modest fine, £400k would I am sure have been much better used on any number of initiatives to reduce the likelihood of the data compromise and the impact of resulting 'fall-out'.
Indeed I'll proffer a couple of ideas of my own.
Firstly solutions to close the gap between the breach/possible compromise and the point of detection. In effect 'incident readiness'. An 'Achilles heel' for many, in so much as the gap can run into weeks and even months, which serves to make the incident far worse than it needs to be.
Secondly more imaginative education. I think we are now mostly 'aware' so its time to move on to more practical and innovative approaches that capture the attention of those you employ. Phising simulation for example, is not that difficult and really does start to pin point those who could be the weak links that theoretically undermine all your other cyber security investment put together.
Whatever happens in the UK, GDPR will almost certainly raise the bar where data breach penalties are concerned and would have affected TalkTalk accordingly. With Cyber crime a global issue, it is unlikely that many governments will see fit to take a 'relaxed' view on how it is policed in the same way that they may have previously done with taxation.
So the moral of the story? If you think you can do a lot with £400k, think what you could do with £70m!
“During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.” But Mishcon de Reya’s Cyber Security Lead Joe Hancock said: “£400,000 is still a relatively small fine compared to the potential fines that will be levied under the General Data Protection Regulation (GDPR) – the greater of up to 4% of global turnover or €20m. For TalkTalk this could have been over £70m.