Complacency is biggest cyber risk, not hackers, Information Commissioner says

John Edwards has warned firms to better protect themselves as the ICO issues £4.4 million fine to one company for failing to protect personal data.

Martyn Landi
Monday 24 October 2022 00:01 BST
The biggest cyber risk for businesses is complacency and not hackers, the Information Commissioner said (Dominic Lipinski/PA)
The biggest cyber risk for businesses is complacency and not hackers, the Information Commissioner said (Dominic Lipinski/PA) (PA Wire)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The biggest cyber risk businesses face is from complacency, not hackers, the Information Commissioner has said as he urged firms to better protect themselves from cyber threats.

John Edwards issued the warning as the Information Commissioner’s Office (ICO) handed down a fine of £4.4 million to Interserve Group, a Berkshire-based construction company for failing to keep personal information of staff secure – in breach of data protection law.

The ICO found that the company had failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.

Cyber attacks are a global concern and businesses around the world need to take steps to guard against complacency

John Edwards. Information Commissioner

Mr Edwards said many businesses were still not taking cyber security seriously enough and warned companies they should “expect a similar fine from my office” if they are found to have failed to put protections in place.

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company,” the Information Commissioner said.

“If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information.

“This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.

“Cyber attacks are a global concern and businesses around the world need to take steps to guard against complacency.

“The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”

The commissioner’s intervention comes after Nadhim Zahawi, Chancellor of the Duchy of Lancaster said firms must stop thinking of cyber security as “an issue just for company IT departments” and treat it as a business priority.

He warned that in the modern digital world, economic growth for the whole country would not be possible without the “economic security” that came from good cyber security practices.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in