A quick scan of the Information Commissioner’s Office (ICO) website shows that since the beginning of August to 13 October, 17 enforcement notices have been made. These range from a small fine for processing personal data when not registered with the commissioner, to the TalkTalk decision. In total since August £840,650 has been levied in fines. Nearly a million pounds in just short of three months. The TalkTalk decision makes up almost half of this amount, but two things are evident: The ICO is looking at all types of business, small businesses are not immune; the TalkTalk decision sends a clear message to businesses of all sizes to take their IT security seriously.
In summary of the case the ICO states:
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The ICO found against TalkTalk on the 7th Data Protection Principle: Security. This states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data”.
As a result, by 2 November TalkTalk will have to hand over a cheque for £400,000 to the ICO. Ouch. But added to this profits have reduced by 56% and according to The Register in the month after the breach 9,000 customers did the WalkWalk. It isn’t just the fine that hurts
There is no doubt that the fines are increasing. Hampshire Council have been fined £100,000 for leaving details of 100 people in a disused building. A GP surgery has been fined £40,000 for revealing details on one patient. When the new General Data Protection Regulation is implemented the maximum fine that can be levied will increase to 4% of turnover. That could be the ruin of some organisations. It is clear from the ICO that they will not simply accept that a business has been hacked and that is a crime. They will expect businesses to demonstrate they have done all they can to prevent unauthorised access. This latest finding almost puts Cyber Security on a level with Health and Safety and all organisations should begin to take it seriously.
Reading the ICO statement, how many organisations can honestly say they do ‘all’ they can to avoid data loss? When I, as a consumer share my details, how can I be sure that the organisation I am sharing with has done all it can?
I suppose the first step for most organisations is Cyber Essentials. Launched by the UK government in 2014, some experts suggest that implementing the 5 basic controls could reduce the risk of simple commodity attacks, such as the one against TalkTalk by 80%. One blogger, an early implementer of Cyber Essentials suggested that even though they held the ISO27001 certification (a much more complex assessment), they still learned from implementing Cyber Essentials. When the scheme was launched in 2014 Christopher Graham the Information Commissioner of the time was quoted as saying “Cyber Essentials enables businesses to demonstrate that they are taking action to control the risks”. Now it doesn’t say that they would be exempt from prosecution, but there are demonstrable mitigations to the risks. A few hundred pounds on Cyber Essentials and time implementing and monitoring it annually has to be a reasonable investment.
Cyber Essentials may go some way to satisfying the ICO, but what about the customers of a business? The Cyber Essentials badge should also go some way to satisfying the customer that the business takes security seriously. However, the badge isn’t everything. Before trusting it completely ask the business when they were last certified. One weakness of the certification is a lack of an expiry date. Technically a business who certified at the start of the scheme can still say they have Cyber Essentials today, even though they haven’t done anything since. It isn’t a one-off process, to keep current businesses should renew yearly, just like a Cyber MoT.
Featured image by Alexander Baxevanis (used under Flickr Creative Commons Licence)