Call us on: 02920 887 362
Insights /

What can we learn from last week’s £98,000 ICO fine?

Last week the ICO issued a £98,000 fine to one of the UK’s leading criminal law firms for GDPR contraventions. In August 2020, hackers were able to access the firm’s records relating to criminal and civil cases and uploaded some of it to the dark web, as well as encrypting it as part of a ransomware attack.

In this article, we’re going to go through where the firm went wrong, and how you can try and avoid the same mistakes.

Cyber Security is complicated

The firm in question commissioned a third party to investigate its origin of the breach. As a leading firm risking not only a hefty fine but substantial reputational damage, it’s hard to imagine the investigation was anything but thorough. Despite this, neither the firm nor the investigators were able to provide a conclusive answer as to how attackers accessed this data.

The technology used by businesses is becoming more and more complex, providing attackers more and more vulnerabilities to exploit. It’s important, then, that organisations take time to think about their cyber security. In the absence of a conclusive answer, the firm’s cyber security as a whole was examined, and found to be lacking in a number of ways.

Attackers like to lurk

A possible method of attack noted in the penalty notice is poor patch management. The notice details a patch that was released in January 2020, but was not applied by the firm until June, forcing them to accept the hacker could have used this delay to enter the network during this period. Even if the attackers got access just prior to the patch being applied, they waited at least two months before exploiting this access in August.

The lesson here is the cyber equivalent of a 90’s horror movie; the attackers may already be inside your network, waiting for an opportune moment to exploit their access.

What can I do?

The fastest and most cost effective measure you can take to check whether your network has been breached is to sign up to NCSC Early Warning notifications. This free scheme will alert you to potential cyber-attacks on your network, including any active compromises in your system.

Even the basics help keep you safe

In the penalty notice, the ICO notes that the firm in question were not using multi factor authentication (MFA), meaning all hackers would need are a user’s login credentials to access sensitive data. The ICO notes that MFA ‘substantially increases the difficulty of an attacker entering a network’, and not using it created a ‘substantial risk’ of personal data being exposed.

What can I do?

MFA is something that many online services already offer, and is very easy to set up with a mobile phone or email address. We recommend putting MFA in place wherever you can, but particularly on accounts with access to sensitive data.

ISO27000 and Cyber Essentials

Both patch management and MFA are requirements for a number of cyber security accreditations that organisations can sign up to.

One of the most well-known of these accreditations is ISO 27001; an international standard on how to manage information security. Achieving the 27001 standard, like any ISO standard, is a big undertaking, especially for smaller companies.

If you haven’t got the resources to go after an ISO standard, other options are available. The penalty notice lists the NCSC’s Cyber Essentials Standard as another valid accreditation, and in our experience is much more accessible to organisations of any size.

Accreditations aren’t just a pretty badge for your website. They’re more, even, than the commercial opportunities they provide. They are a way of you holding yourself accountable to keeping your business practises, in this case cyber security, up to date.

What can I do?

Unless you have internal IT staff, we’d strongly recommend speaking to an IT services provider to help you identify an achievable certification, and then help you meet the standard.

While not an accreditation, we’d also encourage all businesses to sign up with their local Cyber Resilience Centre, which can provide you with support and resources to improve your cyber security.

Are you worried about your organisation’s cyber security? Contact us today to see how we can help.

You might also be interested in:

A Quick Intro to Patching

What is patching? And why do IT people talk about it so much?

When should you outsource your IT?

The short answer, and the one you’d expect from an IT support provider, is as soon as you can. But there’s a bit more to it than that.

Excellence on Ice