The UK’s Information Commissioner’s Office (ICO) has warned it will crack down on lackluster cyber security practices by businesses, highlighted by a £4.4m fine imposed on construction group Interserve.
Berkshire-based Interserve has been hit with a hefty fine by the Information Service for failing to keep employees’ personal information secure, in breach of data protection law.
According to the ICO, the firm failed to implement adequate cyber security measures, allowing hackers to access the personal data of up to 113,000 employees.
Hacked data included contact details, National Insurance numbers, bank accounts, sexual orientation, disability status and religion.
“The biggest cyber security threat businesses face is not hackers outside their company, but complacency inside their company,” said John Edwards, UK Information Commissioner.
“If your company does not regularly monitor its systems for suspicious activity and respond to alerts, update software, or provide staff training, you can expect a similar fine from my office.”
Edwards called firms that do not maintain cyber security standards irresponsible as it leaves staff “vulnerable to the possibility of identity theft and financial fraud”.
He added that next week he is “meeting with regulators from around the world to work on agreed international cyber guidelines so that people’s data is protected wherever a company is.”
However, £4.4m could be seen as an extreme figure, said Jake Moore, global cyber security adviser at ESET UKTN that fines are necessary to ensure compliance on the part of companies.
“There’s a fine line between threatening companies to build better defenses and actually fining them. The threat is usually enough to put pressure on businesses to commit more resources to cybersecurity, but it’s useless without fining someone to make a point,” Moore said.
“ICOs are not about catching companies and making them fine, but really about helping them understand the real risk to their business and their data.”
Interserve has reached out for comment.
ICO signals crackdown on lacklustre cybersecurity with £4.4m fine