Complacency of firms is leaving ‘the door open to cyber attackers’, ICO says
Many companies in the UK are taking a complacent attitude to cyber security that leaves them open to attack, the Information Commissioner has warned.
John Edwards said that many firms are too relaxed about basic measures such as keeping software up to date and training staff to minimise the risk of infiltration from bad actors.
The warning comes as the Information Commissioner’s Office (ICO) issued a fine of £4.4m to Interserve Group, a Berkshire-based construction company, for failing to keep the personal information of its staff secure, which was a breach of data-protection laws.
The ICO found that the company failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.
The compromised data included personal information such as contact details, national insurance numbers and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation and health information.
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office,” Edwards said
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.”
The Interserve hack occurred after an employee forwarded a phishing email, which was not quarantined or blocked by the company’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation.
While anti-virus software quarantined the malware and sent an alert, Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems, the ICO said.
The attacker subsequently compromised 283 systems and 16 accounts and uninstalled the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.
The ICO investigation found that Interserve failed to follow-up on the original alert of suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber attack.
In the event of such an attack, there is a regulatory requirement of companies to report it to the ICO as the data regulator.
The ICO and the National Cyber Security Centre have previously said that organisations must not pay a ransom in case of data breaches, as it does not reduce the risk to individuals and is not considered as a reasonable step to safeguard data.
The ICO has the power to impose a monetary penalty on a data controller of up to up to £17.5m, or 4 per cent of total global annual turnover, whichever is higher.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.