View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

ICO warns that many UK businesses are still cybersecurity laggards

ICO’s latest report on the state of UK corporate cybersecurity includes case study of a law firm crippled by a ransomware attack encrypting almost a million files. 

By Greg Noone

The Information Commissioner’s Office (ICO) has called on UK businesses to do more to stave off cyber threats to their organisations and the wider economy. In its latest report, the data protection watchdog published new details about the 3,000 breaches reported to its investigators last year (under UK law, all organisations must report such incidents within 72 hours of discovery.) Of these, the majority – some 22% – impacted the financial services sector, compared to 18% in retail and 11% in education. 

“People need to feel confident that organisations are doing as much as they possibly can to keep their personal information secure,” said Stephen Bonner, the ICO’s deputy commissioner for regulatory supervision. “While cyberattacks are growing more sophisticated, we find that many organisations are not responding accordingly and are still neglecting the very foundations of cybersecurity.”

A mobile screen showing the logo and the website of the Information Commissioner's Office, or ICO.
Phishing, brute force attacks and ransomware are just some of the cybersecurity threats UK businesses should worry about more often, says the ICO. (Photo by Shutterstock)

ICO report contains shocking examples of breaches

Divided into chapters describing each major method by which a business can be breached, ICO’s report contains several shocking case studies of firms laid low by cyber criminals. These start with a legal firm undermined by a ransomware attack. Though unable to conclusively determine how the hackers entered their systems, a subsequent investigation found that it could have been via the exploitation of a system vulnerability previously known to the firm. 

“Once inside the network,” reads the report, “the attacker installed various tools to enable them to create their own user account to execute the attack. The attacker then encrypted 972,191 individual files and 24,711 court bundles. The [hackers] then exfiltrated 60 of these bundles and published them on an underground market site.”

Many cybersecurity mistakes are “entirely avoidable”

Other cases included the compromise of a construction company’s servers through a phishing attack, a breach that led to the leakage of personal information belonging to 113,000 people. The ICO also described the hacking of a hotel company’s IT systems which, after that firm was taken over by a larger rival, led to the leaking of customer cardholder details. 

“Our enforcement information has shown that we investigate cyber-related data breaches which are often entirely avoidable,” said the ICO. The regulator added that it had taken enforcement action against businesses that had failed to implement effective multi-factor authentication systems, act on alerts from antivirus software, or ensure that staff use strong passwords, and would continue to do so. 

Read more: Bank of Ireland UK avoids fine after mistakes on 3,000 customer credit profiles

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.