The Information Commissioner’s Office (ICO) has warned corporate Britain that “complacency” is the biggest threat to their cybersecurity after levelling a £4.4m fine against Interserve Group.
The UK data watchdog fined the Berkshire-based construction company for failing to keep the personal information of its staff secure, causing personal data belonging to 113,000 employees to be compromised following a phishing attack that happened two years ago.
The ICO said Interserve had failed to put in place appropriate cybersecurity to protect its employees. The regulator can impose a maximum fine of £17.5m or 4% of global annual turnover, whichever is higher.
UK information commissioner John Edwards that the ICO fine should caution other firms against growing complacent when it comes to cybersecurity.
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company,” Edwards said.
“If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information.”
Cybersecurity experts agree with the ICO warning, saying that it could help put pressure on businesses to strengthen their digital defences.
“There is a fine line between threatening companies to build better protections and actually fining them,” said Jake Moore, global cybersecurity advisor at cybersecurity firm ESET. “The threat is usually enough to put pressure on businesses to place more resources in cybersecurity but it is worthless without fining any of them to make a point.
“The ICO is not out to catch companies and force them to fine but in fact help them understand the true risk to their business and their data. Once data is stolen, the clean up is far greater than any fine could be as knock-on attacks can rapidly starburst affecting millions of people.”
Interserve did not return Verdict’s request for comment.
In January, the ICO and the National Cyber Security Centre urged companies to bolster their digital defences in response to the crisis in Ukraine. They feared Russia would launch more digital assaults through the war.
In May, Verdict reported that the cyberwar in Ukraine has not been as intense as experts initially feared.
“Everyone expected that this was going to be the first war in which cyber warfare played a sort of big part,” David Bicknell, principal analyst at GlobalData and the author of a new Thematic Research: Technology Cybersecurity report, told Verdict at the time.
GlobalData is the parent company of Verdict and its sister publications.