Here’s just a small selection of some of the cyber and data protection stories to hit the news, and suffer regulatory force, this month.
Parliament hit by cyber attack prompting officials to disable remote email access. The “determined attack” was claimed to be an “attempt to identify weak passwords” and experts warn of potential blackmail attempts if emails were successfully accessed.
University College London (UCL) was struck by a major ransomware attack this that left students and staff locked out of their files. The virus is believed to have spread through UCL’s network after users visited a compromised website.
Petya, a massive, global ransomware outbreak, has been hitting airports, banks, shipping firms and other businesses across Ukraine, Russia, the United Kingdom, Denmark, India and beyond. Danish shipping giant Maersk and the global pharmaceutical giant Merck all appear have had their systems compromised.
Please see a recap of the advice issued by City of London Police in relation to ransomware*.
Data Privacy Regulator – It’s been a bad month for local councils
The Information Commissioner’s Office (ICO) have been busy…
Medway Council received an enforcement notice from the ICO following previous audits and two security breaches. They failed to take adequate steps to ensure that mandatory data protection training had been rolled out.
The ICO fined Gloucester City Council £100k after a cyber attack resulted in the breach of employee sensitive personal data – if you think it’s all about consumer’s you’re wrong!
Basildon Borough Council were fined £150k when their planning department published a family’s sensitive personal information. It was found that Basildon failed to take adequate organisational measures and had failed in staff training.
Maybe not quite as bad as the results in April which saw 11 well known charities fined for failings.
With GDPR less than a year from coming into effect, it seems there is much still to do before the ICO has the power to levy much more punitive fines.
Good information security management for prevention rather than cure
Whilst good information security management won’t guarantee cyber attacks and breaches can’t take place, it will reduce the threats significantly. Demonstrating effective information security management to regulators will also mitigate the risk of fines.
Our top three information security and data privacy recommendations:
- Follow an information security management framework such as ISO 27001 – it’s recognised as the most comprehensive solution to achieving an enhanced cyber security posture.
- Build information security into your HR processes – ensure you can easily demonstrate effective staff communications, training and reviews are taking place
- If you haven’t already, start preparing for GDPR now! A UKAS accredited ISO 27001 will help you address the security requirements and will give regulators the assurance that you are taking adequate organisational measures around information security.