A Yorkshire IT consultancy is warning local businesses that they could face significant fines for not having the right data protection security in place, after a law firm was severely punished after falling victim to a cyber-attack.
ITWiser, is advising all businesses to undergo a Cyber Essentials assessment to ensure data is properly protected after The Information Commissioner’s Office (ICO) fined a firm of solicitors £98,000 for failing to secure IT files and sensitive court bundles. After the firm’s system was hacked, some of the documents were published on the dark web.
Martin Clark, who heads up ITWiser, explained: “Since GDPR rules were introduced in 2018, relating to how personal data is collected and processed, it’s been vitally important for businesses to invest in a Cyber Essentials package, and this recent high-profile case reinforces why.
“In the last four years hundreds of firms have fallen foul of not having the right protection in place to protect against cybercrime, but this case is the first where the ICO has made the point that Cyber Essentials is something that they expect businesses to have in place. The case has really brought the message home that firms that don’t take data security seriously will be punished.”
A basic Cyber Essentials package can be purchased from £300 online, but Cyber Essentials Plus is recommended for businesses that process any sensitive data or large volumes of data. The cost starts from £1,200 and involves an onsite visit. A Cyber Essentials package will help any business guard against the most common cyber threats and demonstrate its commitment to cyber security.
Martin added: “Perhaps one of the most striking things about this breach is the specifics of what the ICO found lacking in the law firm’s security. The firm was criticised for not using multi-factor authentication and not having a security standard in place such as Cyber Essentials. The ICO stated that implementing these security measures is comparably low cost and should have been in place.
“The ICO also noted that the hacker took advantage of the switch to remote working, by infiltrating software used by the firm to allow employees to access their work desktops from home, using a single password.
“The important take away from this enforcement action is that the ICO have made a clear indication that they expect organisations to have certain security standards in place. Any firm that processes sensitive data or large volumes of data must have multi-factor authentication enabled, hold security certification such as Cyber Essentials, encrypt devices that hold data and maintain a robust records management process.
“It’s unusual for the ICO to be so specific, so this needs to be taken seriously not just by law firms, but businesses that operate across every sector. To ensure compliance, businesses must at least reach the expected standards of the ICO. No system is ever 100% fool proof when it comes to data protection but using a company that is a certified body for Cyber Essentials and making sure the obligations outlined by the ICO are followed, will at least reduce risk and the likelihood of such a large fine.”