The UK’s Information Commissioner’s Office (ICO) has warned it will be cracking down on lacklustre cybersecurity measures from businesses, being marked by a £4.4m fine served to construction group Interserve.
The information watchdog handed the hefty fine to Berkshire-based Interserve for failing to keep employee personal information secure, in a breach of data protection law.
According to the ICO, the firm failed to implement appropriate cybersecurity measures, allowing hackers to access the personal data of up to 113,000 staff members.
The breached data included contact details, national insurance numbers, bank accounts, sexual orientation, disability status, and religion.
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company,” said John Edwards, the UK Information Commissioner.
“If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”
Edwards called out firms that failed to maintain cybersecurity standards as irresponsible, as it leaves staff “vulnerable to the possibility of identity theft and financial fraud”.
He added that he will next week be “meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”
A £4.4m may be seen as quite extreme, however, Jake Moore, global cyber security advisor at ESET told UKTN that fines are necessary to ensure compliance from companies.
“There is a fine line between threatening companies to build better protections and actually fining them. The threat is usually enough to put pressure on businesses to place more resources in cybersecurity, but it is worthless without fining any of them to make a point,” Moore said.
“The ICO is not out to catch companies and force them to fine but in fact, to help them understand the true risk to their business and their data.”
Interserve has been contacted for comment.