ICO: The Biggest Cyber Security Threat Is Complacency

The data centre industry goes to great lengths to ensure that clients have access to all the latest security features and tools. We try to educate customers about things like firewalls and encryption but, according to the Information Commissioner's Office (ICO), the biggest cyber security threat in the UK is complacency.

ICO warnings about complacency follow a recent decision to fine a Berkshire construction company £4.4 million for failing to secure staff personal information. Their actions constituted a violation of data protection law.

The ICO warning is a reminder to all of us that complacency makes it too easy for cyber criminals to do what they do. Likewise, eliminating complacency would make data breaches harder to pull off.

A Simple Phishing Scam

According to a bulletin recently published on the ICO website, the construction company in question “failed to put appropriate security measures in place to prevent cyber-attack.” The ICO went on to explain that hackers were able to utilise a phishing scam to access the personal data of as many as 113,000 current and former employees.

Phishing scams are surprisingly unsophisticated and easy to pull off. They involve sending an email disguised as a message from a legitimate organisation to unsuspecting users. Language in the email prompts users to volunteer some sort of personal information that opens them up to further attack.

In this particular case, hackers were able to gain access to:

• Employee names
• Contact information
• National insurance numbers
• Bank account information
• Demographic information
• Health and disability information

Armed with so much information, a hacker could easily steal a victim's identity. That could lead to all sorts of problems including, but not limited to, obtaining credit in the victim's name. Needless to say, this renders the victim(s) vulnerable in very many ways.

Updates and Training

According to the ICO, much of the complacency in the UK revolves around software updates and employee training. Both are inadequate. Not giving proper attention to software updates “is never acceptable” according to the ICO.

In terms of training, the tragedy is that it is so easy to provide. It doesn't take much to train employees in easy ways to spot phishing scams and other means by which hackers attempt to gain entry into local networks.

Hand-in-hand with employee training are policies designed to discourage cutting corners. Policies covering everything from email usage to how employees access the internet can do wonders for cyber security if they were enforced.

It Only Takes One

Unfortunately, the case highlighted by the ICO in the recent bulletin proves that it only takes one mistake to create a big problem. The bulletin explains that a single employee received a phishing email that wasn't picked up by the company's spam filter. That email was forwarded to another employee who opened it and inadvertently downloaded malware that infected the entire system.

When the company's anti-virus software identified the problem and issued a warning, the warning was not investigated by IT staff. The result was notable:

• 283 systems and 16 accounts compromised
• Personal data on up to 113,000 employees encrypted and made unavailable
• Removal of the company's antivirus software from its network.

The ICO says that the company violated the law by not putting “appropriate technical and organisational measures in place to prevent the unauthorised access of people's information.”

The lesson here should be obvious. Complacency, in the form of outdated software and a lack of employee training, has created a problem that could potentially impact more than 100,000 current and former employees. It is a reminder to all of us in the data centre industry of just how important vigilance is.

Visit the DCME Blog Page to read more on data centre industry ‘hot topics'.