Skórzewiak - stock.adobe.com

Cyber attack victims need to speak up, says ICO

The Information Commissioner’s Office is urging organisations to be transparent and learn from each other’s mistakes as it reveals most of the cyber attacks it responds to stem from the same core errors

With the majority of cyber attacks reported to the UK’s Information Commissioner’s Office (ICO) stemming from basic and common security mistakes, the regulator has said others would be better able to learn and everybody’s security postures might start to improve if victims felt empowered to be more transparent about their experiences.

The ICO said that over 3,000 breaches were reported to it in 2023, of which 22% affected organisations in the financial services industry, with the retail and education sectors accounting for 18% and 11% of reports respectively.

In the Learning from the mistakes of others report, the ICO has compiled practical advice to help organisations better understand common security failings and take simple steps to improve their own security to prevent breaches before they can take place.

“People need to feel confident that organisations are doing as much as they possibly can to keep their personal information secure,” said Stephen Bonner, ICO deputy commissioner for regulatory supervision.

“While cyber attacks are growing more sophisticated, we find that many organisations are not responding accordingly and are still neglecting the very foundations of cyber security.

“As the data protection regulator, we want to support and empower organisations to get this right,” he said. “While there is no single solution to prevent cyber attacks, there is absolutely no excuse for not having the foundational controls in place. These are essential to protecting people’s personal information and we will take action, including fines, against organisations that are still not taking simple steps to secure their systems.

“If you do experience a cyber attack, we always encourage transparency as your mistakes could help another organisation to avoid a similar breach,” said Bonner.

Five causes of breaches

The report zeroes in on the five biggest causes of the breaches reported to the ICO, and for seasoned cyber professionals, the list should contain no surprises:

  • Phishing emails, where users are tricked into sharing credentials, personal information, or downloading malware or ransomware;
  • Brute force attacks, where malicious actors use trial and error to guess weak username and password combinations;
  • Denial of service, where normal network or system operations are slowed or stopped by being overloaded with malicious traffic;
  • User errors, where settings have been misconfigured, poorly implemented, not maintained or left on default;
  • Supply chain attacks, where products, services or technology used at an organisation are compromised and used to infiltrate its systems. 

The report lays out more detail about how such attacks take place, key considerations needed to mitigate the risk, and how the landscape might develop in the future. It also contains a number of case studies drawn from the ICO’s regulatory activities.

Eleanor Fairford, NCSC deputy director for incident management, said: “As more organisations report cyber incidents, it is ever-more crucial to have strong online defences to reduce the risk of falling victim and to protect personal information.

“The NCSC is committed to helping organisations raise their cyber resilience, and we urge leaders to make use of the wide range of practical guidance and free services available on the NCSC website. If the worst should happen, we encourage reporting incidents to the authorities to access expert support and help break the cycle of crime.”

Read more about the ICO’s work

  • The UK data regulator has suggested that, despite major data protection concerns, it is likely to green-light police cloud deployments because of an information-sharing agreement with the US government.
  • The London Mayor’s Office has been reprimanded by the ICO after an internal error exposed the data of people who had made complaints against the Metropolitan Police.
  • An Italian journalist has complained to the data protection watchdog after the Crown Prosecution Service gave conflicting explanations over its deletion of key emails on WikiLeaks founder Julian Assange.

Read more on Data breach incident management and recovery