Insights Cyber Security: Information Commissioner issues statement calling for organisation to do more


The Information Commissioner’s Office (“ICO”) has issued a statement calling on organisations to do more to combat the growing threat of cyber attacks. It comes as the ICO responded to reports of a cyber breach at the Ministry of Defence and as its own research indicated that more organisations than ever are experiencing cyber security breaches.

Accompanying the statement was a new report, ‘Learning from the mistakes of others’, which includes practical advice to organisations to “understand common security failures and take simple steps to improve their own security, preventing future data breaches before they can happen”.

The report focuses on five main causes of security breaches: (1) phishing; (2) brute force attacks; (3) denial of service; (4) errors; and (5) supply chain attacks. Accompanied by helpful case studies, the report summarises what these attacks are, how they take place, the key principles to consider to mitigate or reduce the level of harm from a security breach, and some possible developments that mean that these threats become more sophisticated in the future (such as through the use of artificial intelligence or quantum computing). It also includes some guidance on ransomware and malware, although the ICO has dedicated guidance on this subject elsewhere.

The report makes clear that many cyber-related data breaches are “entirely avoidable” if organisations implement the types of physical and technical measures mentioned in the report, and adopt a “privacy and security by design and default” approach. Just as important are organisations having appropriate ‘organisational controls’ in place, such as ensuring that boards “take a more proactive approach to overseeing cyber risks within their organisations”. Furthermore, it stresses that organisations should not benchmark themselves against other organisations even if they are operating in a similar market: “the best baseline for measuring your performance is your own”. It also reminds organisations that the ICO may take enforcement action if measures are inadequate, and provides examples of such action being taken against organisations which have, for example, failed to secure external connections with multi-factor authentication, used inadequate passwords on internal accounts, or failed to mitigate against known vulnerabilities.

Commenting on the publishing of the statement and report, the ICO’s Deputy Commissioner (Regulatory Supervision), Stephen Bonner, said:

“People need to feel confident that organisations are doing as much as they possibly can to keep their personal information secure. While cyber attacks are growing more sophisticated, we find that many organisations are not responding accordingly and are still neglecting the very foundations of cyber security.

As the data protection regulator, we want to support and empower organisations to get this right. While there is no single solution to prevent cyber attacks, there is absolutely no excuse for not having the foundational controls in place. These are essential to protecting people’s personal information and we will take action, including fines, against organisations that are still not taking simple steps to secure their systems.

If you do experience a cyber attack, we always encourage transparency as your mistakes could help another organisation to avoid a similar breach.”

To read the statement and report in full, click here.