Analysis: The CEO is always going to be in the firing line after a cyber attack.
Companies looking to evaluate the cost of a potential cyber breach could do worse for a real world case study than TalkTalk’s most recent financial results, which showed profits halving in a year.
What TalkTalk called in a statement a "strong bounce back" from the cyber attack which saw the data of 156,959 customers potentially being accessed, amounted to stemming the flow of losses rather than returning to growth in the customer base.
With 100,000 customers lost in Q3, the telco said that it had "stabilised" the broadband base so that net adds were flat quarter on quarter.
This might look like a success, but compared to the 47,000 phone and broadband net adds in the same period the previous year shows a significant slow-down.
"Ultimately, consumers have lost confidence," said Paolo Pescatore, Director, Multiplay and Media at CCS Insight.
The costs of the attack were £42 million, bringing pre-tax profit down from £32 million in the previous year to £14 million this year.
However, TalkTalk said that its trust and brand consideration were both higher than before the cyber attack.
The financial costs of the hack are obvious, and as Pescatore adds it will not be clear for some time whether TalkTalk can fully recover.
As a case study for businesses looking at how to respond to a hack, the message is as always that prevention is better than cure.
But in this sense the hack raises more questions than it answered: who is responsible for ensuring this prevention and who is ultimately accountable in the event of an attack?
Research released today that was commissioned by VMware and conducted by Vanson Bourne found that 29 percent of IT decision-makers and office workers believe that the CEO should be held accountable for a significant data breach.
The research also found that, when asked who should be most aware of necessary actions to take after a data breach, 38 percent of office workers and 22 percent of IT decision-makers said the board and 53 percent of office workers and 40 per cent of ITDMs believed it should be the CEO.
This view that the senior management of a company are responsible for a breach extends to the general public. 72 percent of consumers stated in a FireEye survey released today that they were likely to stop purchasing from a company if a data breach was found to be linked to the boardroom failing to prioritise cyber security.
Fewer consumers would be likely to stop purchasing if human error was responsible: only 38 percent.
Dido Harding, the TalkTalk CEO, is still in place and in October told the Telegraph that she retained the support of the whole TalkTalk board. This included chairman, founder and biggest shareholder, Sir Charles Dunstone.
But if the CEO is not to blame for a breach, who is? The continued support for Harding seems to indicate that the board believes that she did everything she could to prevent a hack.
"I am confident that we had a very robust and clear plan," were Harding’s words to the Select Committee hearing on the issue.
She said that cyber security was an item at every board meeting and that the board had detailed in-depth sessions three times in the course of the last nine months.
This is despite many agreeing that TalkTalk was poorly prepared for a cyber attack.
"Since this appears to have been a SQL injection attack, it does appear that it could have been prevented with improved security measures," said Troy Gill, Manager of Security Research at AppRiver.
Gill added that "In a broad sense, accountability ultimately has to start at the top and trickle down to all employees, since everyone plays a role in keeping our organisations secure. Naturally, the leaders of the company of course have the greatest responsibility since they set the direction and tone."
Barry Coatesworth, an independent cyber security strategist, said at a VMware event on 12 May that the role of the CEO extends to showing "due diligence."
However, he says that organisations need to find the "right touch-points" where cyber security should be discussed.
For example, discussing cyber security at every board meeting, as Harding says TalkTalk did, breeds complacency, according to Coatesworth.
He added: "The job of the CEO is to run the company, to be aware of cyber security, but they have lots of other things that they need to do and delivering revenue is probably more important."
Aftab Afzal, GM for EMEA at NSFOCUS IB, said that depending on the breach, the data protection officer should be accountable.
"It is the job of Data Protection Office (DPO) to ensure security of data that resides in an organisation. This individual may have other roles and responsibilities within the organisation and typically these in are in IT / IT Security."
Afzal added however that if the board choose to ignore the DPO’s advice, then they are the ones who should be liable.
This doesn’t mean that everything should be in the hands of the CEO; obviously the CEO needs to be able to rely on the information they are given. Another important step for companies therefore, Afzal said, is seeking third party validation and regular auditing.
Coatesworth said that auditing would be a more effective way of ensuring steps were taken than simply discussing cyber security as a board.
"If it’s an audit item they have to take it seriously, because the audit committee will hold them to account that these audit actions are in progress," he said. "Better that it’s with an audit committee than on the board agenda, unless it’s one of the top five risks to the business."
In the end there is no hard and fast rule for who is accountable, but CEOs and the board should expect to be in the firing line if they are found not to have shown due diligence.