20.5k unique visitors in the last 3 days

Cut the Code to Reduce Risk

UK telco TalkTalk has simplified systems since it was hacked in 2015. The extent of that work illustrates why the safest system is one which has been decommissioned.

An excellent article by Leah Alger for Software Testing News has her interviewing Philip Clayson, Technology Developer at UK telco TalkTalk, about the need to eliminate old software that adds to the complexity and risk of running the business. Alger joined TalkTalk not long before the infamous hacking attack which knocked 30 percent off the value of the telco. As a consequence he spent his first year addressing immediate issues with the software portfolio.

The official investigation into the TalkTalk data breach by the UK’s Information Commissioner confirmed press reports that the breach occurred through a straightforward SQL injection attack on some old webpages that TalkTalk inherited after their 2009 acquisition of the UK operations of Tiscali. This kind of attack has a long history and the appropriate defenses are well established. However, TalkTalk had not even noticed two earlier SQL injection attacks because the vulnerable webpages were not being monitored. Put simply, the failure to cut old and unnecessary code and systems left TalkTalk with a more extensive perimeter to protect, and more vulnerabilities that hackers could exploit. But they neither cut the code nor safeguarded it, leading to a significant loss of shareholder value that has not been recouped since.

Clayson’s job now sees him concentrating on cutting TalkTalk’s software mountain in half.

In the last year, he has been leading a massive software transformation which is addressing many many years of technical debt in the software estate – a complex problem and a sizeable challenge which has over 84 million lines of code, hundreds of software applications spanning every conceivable purpose, and nearly 1000 code bases. TalkTalk’s target is to reduce this by half in a year.

When businesses grow, they tend to get more complicated, and that has always been true of telcos that rapidly acquire customers and engage in M&A activity with little thought of the long-term shape of their system architecture. TalkTalk sounds like a case study into what can go wrong as a consequence.

Historically, TalkTalk has focused on accelerating growth, and achieved this through both organic and acquisitive means, the latter bringing with it duplicate technologies with each business. With so many acquisitions, the technical duplication is sometimes not always addressed in full and technical debt accumulates.

Clayson revealed: “I have started the software team at TalkTalk on the journey of a huge investment to start removing our software duplication, reducing obsolete code and re-engineering software stacks.”

The article does not talk much about risk management, but we can still draw the necessary inferences. If you want to reduce risk, then dispense with code and systems that are no longer necessary. One of the obstacles to good risk management is the ‘tomorrow syndrome’ – we will deal with risks tomorrow, instead of today, for the same reasons we delay all uninteresting chores until tomorrow. However, criminals may not wait until tomorrow to strike. Streamlining both reduces costs by dispensing with code that is no longer adding benefit and reduces risk by sparing us the need to protect the decommissioned systems.

You can read the Software Testing News interview of Philip Clayson by clicking here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email