UK – The Information Commissioner calls for businesses to boost their cyber security

The UK’s data protection regulator, the Information Commissioner (ICO), has issued an open call for all organisations to do more to strengthen their protections against cyber attacks, alongside a report considering lessons learned from the data breach reports it has received.

The ICO statement notes that the rate of cyber breaches is increasing. Over 3,000 breaches were reported in 2023, with finance and retail being the industries hit the hardest.

The accompanying report, titled “Learning from the mistakes of others – A retrospective review”, sets out six leading causes of cyber breaches one of which – ransomware – is touched on only briefly, as the ICO has already provided guidance on this issue. It also suggests mitigants to reduce the risk of cyber breach due to each cause. The ICO notes that good practice will depend on an organisation’s specific risk profile, but that best practice is always for businesses to take a layered approach to cyber security measures, such that if one defence fails there is another mitigating control in place.

The six key cyber threats

The causes of cyber incidents, and suggests risk mitigants, identified by the ICO are as follows:

1. Ransomware

The use of malicious software (“malware”) to block access to the user’s systems/data in order to demand a ransom is described by the ICO as the most common form of malware attack, usually resulting from poor cyber hygiene. In one case study cited, a retailer was hit by a ransomware attack involving malware being installed on over 5000 payment terminals, allowing the threat actor to access customer payment details each time they were used.

The mitigants recommended by the ICO to protect against ransomware attacks include timely patch management, adequate vulnerability scanning, updating software promptly as needed, encryption of archived documents, and using multi-factor authentication (whereby more than one measure is used to confirm identity) for remote access.

2. Phishing

This is a scam where false messages persuade a user to share log on details or inadvertently download malware. The ICO reports that in one survey, 91% of UK companies reported at least one successful phishing attack in 2022, and in a notable incident one simple phishing email compromised data relating to over 100,000 people. A phishing attack may well be a pre-cursor to a wider attack, such as deploying ransomware.

The most important measures to mitigate phishing are those which relate to the individuals targeted by the false messages - so the ICO’s recommended measures include appropriate staff training with specific messaging like being wary of emails from unknown senders and not clicking on unexpected password reset links. The ICO also recommends establishing a clear reporting system, having a ‘no blame’ culture, and instigating effective and timely investigation when phishing is reported.

3. Brute force attacks

This method of attack involves threat actors using trial and error to guess log in details or encryption keys. Once credentials are obtained, they are sold on; this magnifies the threat risk, as survey data suggests that up to 65% of people use the same password across multiple sites.

The ICO-recommended mitigants against brute force attacks include requiring the use of strong passwords (for example using three random words, which do not include personal information that is easy to guess), avoiding reuse of passwords, limiting the number of log in attempts possible and locking the account when this is exceeded.

Other steps include disabling unused accounts, multifactor authentication and using single sign on or biometric access in lieu of a username/password combination.

4. Denial of service (DoS)

This involves threat actors overloading a website or system to prevent it carrying on normal activity typically as a means to extort money or a means of protest. According to the Financial Conduct Authority, this mode of attack is growing rapidly; in 2021 only 4% of reported hacks were conducted by DDOS (distributed denial of service, where multiple devices carry out a DoS attack), but in 2022 this rose to 25%.

Suggested technical measures to mitigate these attacks include implementing processes for checking firewall and router configurations, purchasing third party services designed to recognise legitimate traffic increases (such as at peak times of year or on release of a limited product) and offering DoS prevention, and creating, testing and maintaining business continuity and disaster recovery plans.

5. Human error or mistake

Cyber incidents may simply arise from human error, whether these are due to misconfiguration or a lack of checks and balances – some of the most common errors identified included incorrectly implemented changes, unrestricted permissions and outdated protocols. Survey data suggested that 99% of all firewall breaches are due to misconfiguration.

The mitigation measures recommended by the ICO to protect against errors include developing a culture of ‘security by design’, where security considerations are embedded into products and procedures, repetitive processes are automated, default login details are changed, development functions are contained and tested before go-live, and ‘four-eye’ quality checks are used, whereby security checks are performed separately by two people.

6. Supply chain attacks

Threat actors may attack the systems in a supply chain, for example inserting their own code, and then use this to access systems and data up or down the supply chain. Defending against this type of threat means considering not only your own organisation’s cyber security, but that of its suppliers - and of all those who supply them in turn.

The best protection against supply chain risk is thorough due diligence; other key measures include conducting a regular supply chain review, testing your suppliers’ cyber security where possible, and ensuring there are robust contractual protections in your vendor agreements.

Getting it wrong could be expensive

None of the mitigation measures recommended by the ICO are new, yet the regulator is clear on its view that many businesses are still not taking cyber security seriously enough. And where this results in a cyber incident that risks individuals’ personal data, the ICO is keen to emphasise that it is ready to enforce; Stephen Bonner, the Deputy Information Commissioner stated that “There is absolutely no excuse for not having the foundational controls in place. We will take action, including fines, against organisations that are still not taking simple steps to secure their systems.

With the growth of AI giving the cyber preparedness industry a boost, but also giving threat actors ever faster and more accurate avenues to mount cyber attacks, it is more important than ever that businesses review their cyber hygiene, and ensure that they have adequate cyber security measures in place, which are both sufficiently robust and suitable for their risk profile.

 

For more information on cyber security, download the Linklaters Cyber Security Handbook: The Essential Handbook for In-house Counsel.