ICO call to arms – boost your cyber security and protect personal information
The ICO has recently published its “Learning from the mistakes of others” report highlighting the year on year increase in cyber attacks over the last 10 years since it issued a similar report.
The updated report highlights the exponential rise in security incidents over that period and the increasingly diverse range of attacks undertaken by threat actors. The ICO’s own trend data highlights that there was a 33% increase in cyber incidents in 2023 (3,285) over those reported in 2022. |
By highlighting in the report how breaches can occur, the ICO intends to educate organisations to learn from the mistakes of others by (i) understanding what common security control failures led to breaches; and (ii) the steps that should be put in place to ensure that such controls operate effectively and minimise the risk of companies experiencing their own breach.
Ransomware
The ICO highlights that ransomware remains the most common malware and is still a persistent threat to the UK economy. In particular, the report considers that companies should assume that if they are the victim of a ransomware attack, that information will have been exfiltrated. It repeats its current position that it does not support the payment of ransoms, given that there is no guarantee access to the data will be restored. The mitigating steps highlighted by the ICO may by now be familiar to most organisations, but it re-states the key principles of good cyber hygiene as per the National Cyber Security Centre’s 10 steps to cyber security.
Phishing attacks
The report highlights that 79% of businesses identified having a phishing attack in the last 12 months, compared to 72% in 2017, and that fraudsters were taking advantage of changed behavioural habits since the pandemic, such as increased online shopping. Mitigations to prevent phishing attacks involve a combination of technical measures (such as email filtering, firewalls and black/whitelisting) in conjunction with regular and routine training of staff to increase awareness of phishing attempts.
Brute force attacks
Brute force attacks were occurring at a rate of 11,000 attacks per second in April 2023 according to the ICO’s report, the highest monthly rate ever recorded and a significant increase on 2022. The ICO were also seeing increased success rates in “credential stuffing” attacks, where victims use the same password on multiple sites. The ICO highlighted its advice around good password hygiene, in particular the NCSC guidance on using the “three random words” approach, alongside MFA and biometric options.
Distributed “Denial of Service” (DDoS) attacks
DDoS attacks are also continuing to rise, with 15% of UK businesses having identified a denial of service (DoS) attack in the last year. These are large scale attacks and are offered by cyber criminals as a service to overload network traffic to try and halt a company’s operations. Mitigating measures to prevent such attacks are largely restricted to technical steps able to identify, detect and prevent systems from being overloaded, by classifying data traffic before it reaches the server thereby containing the impacts of aggressive traffic designed to disrupt network operating systems.
Errors
The ICO’s review focused on security misconfigurations leading to breaches, which can occur at any layer of system protection. In particular, the ICO highlighted the risks posed by misconfigurations within the cloud and a failure to configure cloud services correctly. The fact that the ICO have highlighted this issue demonstrates the importance of ensuring that the data controller has a contract in place with the vendor that provides clarity around who is responsible for any data breach and that the data controller is able to ensure that its cloud provider has configured its services correctly. The same principles will apply to any vendor engaged by a controller to provide third party services.
Supply chain attacks
In line with requirements to ensure that suppliers take responsibility for configuring their services correctly, the ICO also highlights the increase in targeted attacks on suppliers and the need to ensure that businesses have conducted appropriate risk assessments of their supply chain who may frequently be handling personal data on behalf of the controller.
The ICO reiterates that when using third party vendors, businesses should be satisfied that they:
- Have appropriate security in place and are compliant with DP legislation.
- Have some form of assurance in place, usually via a contractual document.
The ICO highlights the importance of ensuring that organisations conduct thorough due diligence on potential suppliers and that you have access to the suppliers’ logs if the system is compromised, as well as ensuring that appropriate contractual assurances are in place around the supplier’s security posture.
Test your business response
The ICO’s updated review of incidents demonstrates the increasing frequency and complexity of such attacks, and the critical need for organisations to continue to document and test any plans for incident response, business continuity and disaster recovery.
Kennedys has a highly experienced cyber response team who are able to conduct ransomware simulations to help your business test your incident response performance, identify any weak spots and plug your privacy and security gaps. Please contact us directly to reserve your session with the team, or to request further information about our tailored training services at cybersimulations@kennedyslaw.com.
Related item