Huge Fine Highlights Importance of Training and Cybersecurity

Phishing Email Led to Huge Breach

One of Interserve's employees opened a phishing email, which meant hackers were able to install malware on their workstation. Through this, the hackers were able to access the personal information of up to 113,000 employees. The compromised data included contact details, National Insurance numbers, bank account details, and special category personal data including data on ethnic origin, religion, sexual orientation and disabilities.

Interserve were criticised for having failed to thoroughly investigate what had happened. It was notified about the malware through its anti-virus software, however, whilst it took action to remove some of the files that had been installed on the employee's workstation, it failed to verify all the malware had been removed. This meant the attacker retained access to the workstations from the 1 April 2022 to 2 May 2020, where Interserve's routine maintenance check discovered a message stating the server had been hacked.

The ICO subsequently issued Interserve with a fine for a breach of the legal requirements to keep personal data secure, and for failing to have in place technical and organisational measures to protect personal information.

The Importance of Risk

An organisation should have an understanding of the particular risks that exist, and the current mitigations in place. Cybersecurity should be a part of your existing risk register, and it should highlight both general risks (such as risks of a cyberattack), as well as specific risks that relate to your business or operations. For example, if you have hybrid/flexible working, this can carry with it an element of risk. Being part of a significant/important supply chain may also increase your risk of an attack because you could be the gateway to get to larger organisations.

Once you understand the risks, you can concentrate on what you can do to prevent/mitigate those risks - by using both technical and organisational measures.

Learning Points

The following are practical takeaways from the Interserve fine:

Keep your systems updated

Individuals will try to exploit known weaknesses, so it is important to update your systems to plug any 'gaps' in the security systems.

You should also be aware when software or systems are coming to the end of their 'support'. Systems that are no longer supported will not get updated, so any weaknesses will remain on the system as long as you are using it. You will be given notice of when support will end, and it is important to note this, and take action to protect your information where needed.

Training

The ICO found that Interserve should have been aware of the risks of failing to implement effective information security training for all staff and found that the failure of putting in place appropriate training amounted to a UK GDPR breach. 

It is therefore a good idea to not only provide relevant training for all those who are using your systems, but also to note who has been trained, what the training covered, and how you follow up with individuals who have not attended the training.

We have developed eLearning on data protection, designed to disseminate key information to staff to help you protect the security of personal data within your organisation, and easily evidence that training when needed. The course has been written by our data protection specialists and is kept up to date with changes to the law so you can be confident staff are aware of the latest guidance.

We will also be offering a tailored course for Data Protection Leads to build on their understanding of the data protection essentials and to help them to carry out their role more effectively. Subscription starts with a baseline fee of £400, plus a per user cost of £3 per user. The role specific course can be added on for a fixed fee.

To find out more, please contact Imogen Street in our VWV Plus team on 07384 545 998 or at istreet@vwv.co.uk.

Policies and procedures

Whilst it can be helpful to have policies and procedures in place (particularly when you are asked to demonstrate compliance), they are only useful if they are up to date, and followed. One of the key issues in the Interserve fine was that there were policies in place that, if followed, would have mitigated some of the issues that arose. For example, the company had a policy around updating software and not using software that was no longer supported which, if followed, could have limited the impact of the attack.

As with all areas, it is important to think carefully about where a policy or procedure will help, and if it will help, how will you ensure that it is being followed?

Access controls

Finally for this article, you should look at what access controls you have in place, and whether these need to be strengthened. By limiting an individual's access only to the parts of your system that they need to access, you potentially limit the ability of an attacker to get to your information if an individual is compromised. You should also look at how your systems talk to each other - potentially with an expert. You may have what you think is an isolated data collection system that stores data about your website, but if it is linked to your office account, which is linked to the accounting software, then an individual only needs to get access to the website, to gain access to your outlook and your finances. This level of linkage might be vital, but it is important that you understand it, so that you can protect all potential access points.

Please contact Andrew Gallie on 0117 314 5623 or Vicki Bowles on 0117 314 5672 for more information. Alternatively, please complete the form below.