Cyber security, the ICO and fines

Hi all

It's been an interesting week, helping out my clients with ISO 9001 and ISO 27001 has been constructive. With one of them we have been focusing on the new privacy standard ISO 27701 and getting to grips with the new standard, it should make for interesting implementation.

So onto this week's blogging! Today we are talking about cyber security, the ICO and fines. The chances are that the Information Commissioners Office (ICO) UK or any other National Authority for the protection of information is only going to be interested in your business or organisation if you suffer from a data breach and you are obliged to report it, it's either that or someone else has reported you which makes it even worse. Under the GDPR and Data Protection Act 2018 you have to report a reportable data breach within 72 hours of finding out about it.

So what is reportable? That's a good question and i'll offer the following advice. A data breach is quite simply when information is accessed that should not be accessed by a third party, that third party may be a hacker, or just plain simply the data went to the wrong person by the mistake of a processing error occurring either through a cyber issue or a human being has done something incorrect. Following a breach you should understand if the severity of the breach makes it reportable.

You have to decide if the breach risks people's human rights and freedoms, in other words the breach puts people's data under threat by disclosing it to a third party. If you feel that the breach is great, then the data breach is probably reportable under current guidelines. If you feel that the breach can be swiftly and easily rectified with minimum disturbance to people's rights then it may not be reportable. It just depends on the severity of the issue. You have to decide.

Depending on the issue you may be asked certain questions such as what safeguards were in place and did you conceivably do enough to protect the data. You should know what your technical and practical safeguards are and document them, if you do not, it's time you do. Because under the GDPR at article 30 the authority asks you to document your technical safeguards, by knowing what they are puts you at an advantage, knowing what technical (and practical) safeguards are in place can lead you to determine whether they are good enough in the first place.

With cyber security, times are challenging, just how safe are your servers? That's a good question and one that can only be tackled by the help of third parties who, you should understand, hold the right credentials to undertake such tests of your servers. There are some companies who are registered under the CHECK scheme, a UK Government approved scheme that uses companies who have undergone their own checks and are suitably qualified to check your servers and systems. See NCSC Check scheme for details.

What these companies do is test your servers for any vulnerabilities and they will probe your servers' infrastructure to check to see where the gaps lie, where there are any particular threats and what risks you face, it is worth noting that you can purchase software that will act as a vulnerability scanner and tell you what ports are open on your servers, those ports can invite hackers to gain access and exploit your data.

Where to host your servers? This is also something you should focus on, if your hosting company houses your servers then it's a good bet that they will have their own technical safeguards, and, because it's your server it's your job to know what security is in place to protect it. Many companies use sub standard methods of server hosting, and use sub standard companies to house them. There are many companies out there, it's up to you who to choose and you should use due diligence to protect yourselves by asking what security is in place to protect your servers and the information contained within.

There is no doubt that having security flaws can lead to higher risks and there is plenty you can do to lower the risk. This is by having suitable accreditation or certifications in place like Cyber Essentials and Cyber Essentials Plus, a UK Government approved scheme where a certified third party asks you questions and in the case of Cyber Essentials plus, carries out suitable testing of your server infrastructure to see if someone can gain entry.

Should someone hack into your servers and gain access to the information contained within - and distribute it or make it known that you were hacked you could be looking at a substantial fine. Not only can these fines run into the hundreds of thousands if you suffer a breach, they can also run into the millions under the GDPR - and it is this that you want to avoid.

Knowing the ICO, they would like to know what safeguards you had in place, did you do enough to protect the information contained on the servers and what was your attitude towards continual improvement. Working with the ICO helps, as this will reduce a fine and show that you are willing to act in the right way.

ISO 27001 is a great standard for improving your processes, it helps you to focus on continual improvement but the downside of it is is that no penetration testing is completed by the certification body, the auditors will only ask questions related to your information security and will hopefully push you towards getting penetration testing completed. Having Cyber Essentials Plus in place gives you a defence mechanism against cyber threats. People who appropriately probe into your systems to help are a fantastic way of improving the security of systems, because they will tell you where the dangers lie in your systems.

If the ICO do fine you, and find out you were not doing enough then it's safe to say that any breach of data is going to cost you, and it is this which companies should be aware.

Or else it's money (and reputation) down the drain...

Best regards


Steven Burgess is an ISO 9001 and ISO 27001 Consultant to companies in the UK and also a Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.