With the recent cyber attack against Talk Talk following other high profile cyber attacks we have to ask is it time to regulate the IT industry?
All information currently suggests that the recent Talk Talk attack was caused by an SQL injection – a simple technique and very easily guarded against.
The real problem I would suggest is that the staff responsible for these sites are not sufficiently aware of the threats and how to mitigate them. Some ten years ago I was teaching on an MSc here at Birmingham City University and we covered SQL injection attacks and how to prevent them. Along with this we covered the major threats faced by web sites and how to mitigate against them.
The problem basically stems from the fact that there are insufficient suitably qualified people to fill all the IT vacancies. This leads to people being employed who haven’t had the appropriate training and education and being responsible for these major systems.
Now is the time for the government to intervene and put in place some regulation as there are in other industries such as health, construction and finance.
The British Computer Society is the main body overseeing the IT industry and it provides a route to Chartered Engineer (CEng) status. Requiring those people in charge of major IT systems holding sensitive data to have CEng would be a start towards reducing the frequency and impact of the attacks.
Ultimately it should be a requirement that ALL people working in the IT industry have a mandatory suitable qualification before being employed.
We already have several professions that are regulated and require appropriate qualifications. These are either for safety (e.g. the health profession) or financial (the financial sector). The losses associated with cyber attacks are significant and in line with potential losses from other sectors so why isn’t the IT industry regulated?
It will take several years to achieve this but as we move more systems online and more activities become cloud based, now is the time to act.