jump to navigation

It’s Good to Talk… October 24, 2015

Posted by Audit Monkey in The Joy & Pain of Internal Audit.
Tags: , , , , , , , ,

The Blog seems to be suffering at the moment as the readership seems to be an all time low! Anyway, this week has been eventful as we have seen a hack attack at ‘TalkTalk’ and the loss of some 4 million customer records and accompanying bank account details.

While I haven’t been following this data breach too closely, apparently ‘TalkTalk’ have suffered previously at the hands of hackers. As the Lady Bertram once said, once is an accident, twice is careless, so it begs the question will Dido Harding bite the bullet or will she be pushed? I think it is time for three ‘info security breach’ scenarios and you the reader can guess the outcome and who gets sacked.

Scenario 1 – A member of the Sales Team has handed in their notice. The Sales Team Manager has access to client records and associated financial information, e.g. revenue per customer, cost of sales, yield, etc, and all this is readily available in Word and Excel documents on the computer network. Later that day, the Head of IT notices that there is an increased server capacity on the computer network. Upon investigation, it is discovered that the Sales Team Manager has downloaded the client records to a USB stick. The Sales Team Manager is apologetic when challenged, and offers to reload the documents to the computer network. Should he stay, or he be fired?

Scenario 2 – A member of the Audit Team is working late and needs to complete a draft Internal Audit report for presentation to the auditees. The Auditor realises that it would be easier to work on the document at home, as the office air-conditioning has switched off and security wish to secure the premises. As his laptop is secured, e.g. the USB port does not allow the use of USB sticks, he emails the draft report and supporting documents to his home email so he can complete the report before the deadline. However, emailing confidential documents to an employee home email account is against company policy. Should he stay or should he go?

Scenario 3 – A firm with approximately 4 million customers has suffered three data breaches in the past 12 months. (One of these attacks was spoofing, where customers were duped into revealing their bank details to a third-party pretending to be TalkTalk.) It transpires that the firm’s website is not PCI DSS compliant, which means the controls over customer debit and credit card details aren’t as strong as they ought to be in line with industry standards. This makes customer details more susceptible to theft. There was a question whether customer data, including card details were encrypted. The CEO was unavailable to confirm what customer details were stolen. The CEO also commented that a ransom email had been received from the hackers, although the specific details where unavailable. Should the CEO stay, or should they go?

So what were your answers? And here they are.

Scenario 1 – The Sales Team Manager was allowed to stay. Despite the fact he was moving to a competitor, the data was transferred back to the network from the USB stick, despite the fact he may have made multiple copies. And yes, he should have been on garden leave from the moment he handed in his resignation.

Scenario 2 – Sacked. The Auditor was deemed to have breached company policy. Personally I would have opted for a severe reprimand but he was an IT Auditor and should have known better.

Scenario 3 – Well, we will see. I reckon Dido Harding is on borrowed time. A CEO who doesn’t know what customer data they hold when there’s been countless high-profile breaches in the past 12 months, e.g. Sony, is asking for trouble. I suspect it is the old issue which affects British industry; for the sake of spending a few extra quid on proper controls to maintain wafer thin profit margins, the actual damage done in terms of negative publicity and financially because of this breach is immeasurable.

NB: All these scenarios are true.


1. itmonkey101 - October 26, 2015

Talk Talk. Self made victims of the inexorable race to the bottom for costs and quality. That’s my reading of this sorry fiasco, anyway.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: