If you are a local council or charity a fine of tens or hundreds of thousands will be difficult but not for a firm with over a billion in revenue, an entire PR department and thousands of staff. The ICO has only been issuing fines for about five years and so far, it has not issued many.
TalkTalk was allegedly penetrated through a SQL injection attack, this attack type has been around for years and according to reports, Sony was hit around five years ago. Being well known you would think TalkTalk would have tried to mitigate it. Poor security maybe but others are likely the same.
The tech bit. How do you (try) to mitigate against SQL injection?
- Regular external penetration tests
- Regular automated vulnerability scans
- Manual and automated code reviews
- Inbuilt application string filters
- Internal segregation of servers
- Website framework patching
- Intrusion prevention system
- Web application firewall
Cost? Maybe a few thousand to tens of thousands depending on the size of the website or business.
Information Commissioner, Elizabeth Denham, said: "TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease." And how many other small, medium and large businesses are in the same boat? Many I would imagine!
The moral of the story, do not try to secure your website yourself if you have no experience in website security. Get a specialist team or company to do it. Do not just sit there and think it won’t happen to you. If your defences are strong the bad guys or girls may attack someone else.