ICO warns that many UK businesses are still cybersecurity laggards
The Information Commissioner’s Office (ICO) has called on UK businesses to do more to stave off cyber threats to their organisations and the wider economy. In its latest report, the data protection watchdog published new details about the 3,000 breaches reported to its investigators last year (under UK law, all organisations must report such incidents within 72 hours of discovery.) Of these, the majority – some 22% – impacted the financial services sector, compared to 18% in retail and 11% in education.
“People need to feel confident that organisations are doing as much as they possibly can to keep their personal information secure,” said Stephen Bonner, the ICO’s deputy commissioner for regulatory supervision. “While cyberattacks are growing more sophisticated, we find that many organisations are not responding accordingly and are still neglecting the very foundations of cybersecurity.”
ICO report contains shocking examples of breaches
Divided into chapters describing each major method by which a business can be breached, ICO’s report contains several shocking case studies of firms laid low by cyber criminals. These start with a legal firm undermined by a ransomware attack. Though unable to conclusively determine how the hackers entered their systems, a subsequent investigation found that it could have been via the exploitation of a system vulnerability previously known to the firm.
“Once inside the network,” reads the report, “the attacker installed various tools to enable them to create their own user account to execute the attack. The attacker then encrypted 972,191 individual files and 24,711 court bundles. The [hackers] then exfiltrated 60 of these bundles and published them on an underground market site.”
Many cybersecurity mistakes are “entirely avoidable”
Other cases included the compromise of a construction company’s servers through a phishing attack, a breach that led to the leakage of personal information belonging to 113,000 people. The ICO also described the hacking of a hotel company’s IT systems which, after that firm was taken over by a larger rival, led to the leaking of customer cardholder details.
“Our enforcement information has shown that we investigate cyber-related data breaches which are often entirely avoidable,” said the ICO. The regulator added that it had taken enforcement action against businesses that had failed to implement effective multi-factor authentication systems, act on alerts from antivirus software, or ensure that staff use strong passwords, and would continue to do so.