Firms must do more to combat threat of cyber attacks, data regulator warns

Organisations need to do more to boost their cybersecurity and protect the personal information they hold in the face of the growing threat of cyber attacks, the data protection regulator has said.

The Information Commissioner’s Office (ICO) said its own data shows more firms than ever are experiencing cybersecurity breaches and it has published advice around common security mistakes.

The ICO said more than 3,000 cyber breaches were reported to it in 2023, with the finance, retail and education sectors recording the most incidents.

The regulator’s intervention also comes in the wake of a high-profile attack on the Ministry of Defence, with hackers targeting a third party payroll system that holds personal data – including names, bank details and some addresses – of service personnel and some recently retired veterans.

The ICO said it is vital businesses have the “foundational controls” in place to prevent cyber attacks.

Stephen Bonner, deputy commissioner for regulatory supervision at the ICO, said: “People need to feel confident that organisations are doing as much as they possibly can to keep their personal information secure.

“While cyber attacks are growing more sophisticated, we find that many organisations are not responding accordingly and are still neglecting the very foundations of cybersecurity.

“As the data protection regulator, we want to support and empower organisations to get this right.

“While there is no single solution to prevent cyber attacks, there is absolutely no excuse for not having the foundational controls in place.

“These are essential to protecting people’s personal information and we will take action, including fines, against organisations that are still not taking simple steps to secure their systems.

“If you do experience a cyber attack, we always encourage transparency as your mistakes could help another organisation to avoid a similar breach.”

The ICO’s new report, entitled Learning From The Mistakes Of Others, includes advice for firms on how to understand common security failures and take simple steps to improve their own security.

It includes guidance around what the ICO says are the five leading causes of cybersecurity breaches: phishing scams; brute force attacks – where hackers use trial and error to guess log-in details; denial of service attacks, where hackers flood a site with traffic to knock it offline; security setting errors; and supply chain attacks.