The Headline
The Information Commissioner’s Office (ICO) has issued a £4.4 million fine to Berkshire based construction firm Interserve Group Ltd for failure to keep its employee data secure.
The ICO concluded that Interserve Group Ltd did not put the appropriate security measures in place to prevent a cyber attack which allowed hackers to access the personal data of over 100,000 employees through a phishing email. The employee details accessed included personal information such as bank account details, national insurance numbers and contact details, and even highly sensitive information such as sexual orientation, ethnicity and health conditions.
The Details
The attack began when an Interserve employee unknowingly forwarded a phishing email on to another employee, who proceeded to download the content inside. That content was actually malware, which was then installed on the employees computer. Interserve Group email security did not block or quarantine this email, one of the first fundamental errors.
Despite Interserve’s antivirus software detecting the malware, the suspicious activity was not investigated fully. If it had been, Interserve would have realised that the hacker still had access to their systems. They then went on to disable the company antivirus software, encrypt employee information and render it unavailable.
The ICO investigation concluded that Interserve Group had left themselves vulnerable to a cyberattack through their initial failure to fully investigate the suspicious activity, their use of outdated software and protocols, and a general lack of staff training or risk assessments.
Ultimately, the ICO decided that by failing to put adequate measures in place, at both a technical and organisational level, Interserve Group broke data protection law, resulting in the fine.
John Edwards, the UK Information Commissioner said;
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.
Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.
Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”
Eventura’s Perspective
Cyber attacks are becoming more common and more sophisticated. Despite this, many businesses simply don’t think it will happen to them. In reality, the chances are it will. Failure to implement robust cybersecurity measures can have massive financial implications to your business, as this recent example illustrates.
Cyber attacks are becoming increasingly common within the construction industry. Earlier this year, The National Cyber Security Centre (NCSC) partnered with the Chartered Institute of Building (CIOB) to produce expert guidance, aimed at helping small to medium sized construction businesses protect themselves against cyber threats.
We wrote an article on it at the time, which you can read here.
If you’d like to learn more about cybersecurity, cyber crime and how your business can defend itself from threats, you can also read our article Cybersecurity & Cybercrime Explained.
Why choose Eventura for a cybersecurity audit?
With over 20 years experience in cybersecurity, we know our stuff. Our team of cybersecurity experts and complete a full audit of your business and identify any areas of weakness, which could leave you vulnerable to cyberattacks.
We were even mentioned in the Governments National Cyber Security Centre (NCSN) Annual Review 2020 when we were chosen to test their “Exercise in a Box” designed to help small businesses prepare and respond to cyberthreats. You can read the article here.
There is a common misconception that cyberattacks don’t happen to SMEs but this couldn’t be further from the truth. With our expert knowledge, we can help you protect your business’s future from the ever increasing threat of cybercriminals.