In 2014, the ICO published a paper titled "Protecting personal data in online services: learning from mistakes of others". Ten years on from this paper, the ICO notes that more personal data processing has moved into the digital world and, in parallel, cyber threats continue to increase year-on-year. The ICO has, therefore, issued a new report on this topic. The report aims to help organisations learn from the mistakes of others by exploring common security threats and how these can be addressed.
The report was accompanied by an ICO blog post on 10 May 2024 in which the ICO called on all organisations to boost their cyber security and protect the personal data they hold, amid the growing threat of cyber-attacks. In the post, the ICO noted that more organisations than ever are experiencing cyber security breaches, with over 3,000 cyber breaches reported to the ICO in 2023 (with the finance (22%), retail (18%) and education (11%) sectors reporting the most incidents).
The report focuses on six main categories of security threats: malware (including ransomware), phishing, brute force attacks, denial of service, errors and supply chain attacks. For each category, the report provides an overview of what the threat is, some examples of where the ICO has taken enforcement action against organisations affected by these threats, some key principles and measures to consider when trying to mitigate the risks from these threats, and some possible future developments that might impact these threats. The report draws on existing resources and technical advice from the National Cyber Security Centre (NCSC), the UK's technical authority on cyber security, and other sources.
The report is not intended as guidance, but rather as a summary of some of the most relevant and recurring issues that the ICO has observed in its regulatory activities. The report does not replace any of the ICO's existing guidance or the NCSC's technical guidance, which are referred to throughout.
In the table below, we have set out a summary of the report's review of each specific threat identified. However, there are a number of important themes and recommendations that are raised in the report that apply across the threat types. These include:
- There is no silver bullet or single solution for information security and each organisation needs to consider its own activities, and wider technological developments, when determining its approach to information security.
- It is important to get the basics right – consider things like staff training, least privilege access, and changing default passwords and configurations.
- It is also important to take a layered approach to information security. In this way, if one measure fails, there should be another mitigating measure. Organisations should never rely on one person or one control for security.
- Adopt a security-by-design and security-by-default approach.
The report is a useful (and concise) source of information on the current cyber threat landscape (as seen by the ICO), as well as the security measures that could be deployed to address these threats. With regulatory changes afoot in the area of cyber security and digital resilience, including the EU's Digital Operational Resilience Act, the release of the report is also timely.
Summary of the cyber threats identified in the report:
|
Threat |
What is it? |
ICO commentary |
Example security measures to address the threat |
|
Malware |
Software used with malicious intent to harm systems. Ransomware is the most common malware (and often the most harmful) – this involves threat actors using software to encrypt an organisation's data, and then demanding a ransom to make the data accessible. |
Malware attacks are rising year-on-year. If an organisation is subject to a ransomware attack, it should assume the data has also been exfiltrated (as this is a common tactic). Paying a ransom to release data does not reduce the risk, nor does it safeguard information. Ransomware attacks are usually the result of poor cyber hygiene (as opposed to sophisticated attacks) – phishing emails and vulnerabilities in remote access technologies are a common attack vector. |
· Follow good cyber hygiene – see the NCSC's 10 steps to cyber security · Use multi-factor authentication (MFA) and other access controls · Have appropriate, secure and tested back-ups · Train staff · Actively monitor systems to detect issues · Test response and recovery plans · Keep up-to-date with security issues – sign up to the NCSC's early warning service |
|
Phishing |
Threat actors use scam messages to encourage recipients to disclose sensitive information, pay money or click on a malicious link. Phishing is a type of social engineering and relies on the recipient misplacing their trust in the perceived authenticity of the message. Spear phishing involves targeted phishing, typically relying on publicly available information to add greater apparent authenticity to the message. |
Phishing attacks are also on the rise. There is no single security solution – multiple layers of protection should be put in place. Phishing emails are getting increasingly sophisticated and harder to detect. Threat actors are using AI (large language models) to create more sophisticated and effective phishing campaigns. |
Technological mechanisms (such as filtering, anti-spoofing controls, MFA, firewalls and blocklists) Human-centric approaches (e.g., security awareness training around phishing) Foster a no blame culture to encourage reporting and have clear reporting mechanisms – this allows issues to be raised and addressed promptly |
|
Brute force attacks |
Threat actors use trial and error to guess username and password combinations or encryption keys. This type of attack is usually automated. |
These attacks are increasingly using AI to rapidly try huge numbers of combinations in the fastest time possible. Brute force attacks rely on powerful computers; in the future, quantum computers could lessen the time involved in a successful attack. Organisations must consider technological developments when assessing the appropriateness of their security measures. |
· Use MFA · Require strong passwords – ideally the three random words approach · Encourage the use of different passwords across accounts · Protect passwords at rest · Disable unused accounts · Use alternatives to passwords – e.g., single sign on · Limit logon attempts and set accounts to lock if too many incorrect guesses are made · Configure systems to have delays between successive login attempts (known as throttling) · Consider using a CAPTCHA to determine whether a user trying to access the system is a human or a bot |
|
Denial of service (DoS) |
DoS attacks aim to stop the normal functioning of a website or IT network by overloading it and causing a virtual traffic jam. This makes the website / IT system unusable and causes disruption. A distributed DoS (DDoS) attack does the same thing, but the attacker uses a network of connected devices to overload the target from multiple points, making it harder to stop. |
Hackers are increasingly launching DDoS attacks against the UK's financial sector, as they move away from phishing and ransomware. |
· Consider deploying technologies which detect malicious network traffic · Check firewalls and routers are configured correctly · Consider using third party DoS protection services · Have a tested business continuity and disaster recovery plan |
|
Errors |
Errors can arise from misconfiguration, human error or simply a lack of checks and balances leading to insufficient controls which can leave systems vulnerable. Typical errors / misconfigurations include: failure to change default 'out of the box' passwords, unused open administration ports, unrestricted permissions or inherited excessive permissions, and incorrectly implemented IT changes. |
Security misconfigurations are one of the most significant cyber risks. |
· Have security as a core component throughout the technology life cycle – i.e., security-by-design and by-default · Contain development functions and do not deploy to a live environment without suitable testing · Staff training · Change default access credentials · Undertake four eyes quality control checks · Remove unused applications and programmes · Do not ignore warnings / errors and plan time for updates and fixes |
|
Supply chain attacks |
Third party products (e.g., software), services or technology supplied to an organisation are compromised and this in turn results in the infiltration and further compromise of the organisation's systems. |
The threat from a supply chain is directly linked to the number of suppliers, and thus the number of potential attack entry points. Supply chain attacks are very difficult to mitigate with long supply chains (i.e., where an organisation's vendors are supplied by vendors who themselves are supplied by vendors and so on). As such, supply chain attacks are more complicated than many other types of attack and recovery may depend more heavily on third party suppliers. |
· Have a robust supply chain risk management programme · Perform tests over systems developed by third parties · Conduct thorough due diligence on suppliers prior to appointment · Put in place appropriate service and security agreements · Verify connections and ensure principles of least privilege and segregation of duties are enforced |
