The Information Commissioners Office (ICO) has recently published an article on its website drawing all firm’s attention to the fact that a firm has been fined £60,000 following a cyber-attack.
The ICO found that the organisation had failed to take basic steps to prevent its website from being attacked
The company was found:
- To have not performed regular penetration testing
- To have failed to have ensured the website password on the WordPress section of its website was sufficiently complex
- To have stored some unencrypted information and the unencrypted information was found not to be secure as the decryption key was not secure
- To have encrypted card details held on servers for longer than necessary
The ICO advised that if firms hold personal information then they must do so in line with the law, taking steps to ensure that the data is protected. The article also states that under the General Data Protection Regulations coming into force next year, fines such as this one could be significantly higher.
Cyber is a ‘hot topic’ and we have issued several articles on this matter.
Whilst insurance is certainly available (the FCA are now showing an interest in firms that have not purchased such cover) there are several basic steps to train staff to spot possible attacks and help prevent them.
Issues such as not allowing downloads of screensavers or games and restricting websites, will go some way to protecting yourself, but there is a lot more you can do.
Remember if there is a data security or cyber breach it’s not just the ICO that needs to be told, but potentially the FCA as well.
The FCA has published guidance on the matter (https://www.fca.org.uk/firms/cyber-resilience), and we would urge all firms to undertake a review of their exposure, arrange regular testing, put in place staff training (see www.mydevelopment.zone for e-Learning courses), and ensure that such reviews/tests are updated on a regular basis.