The UK’s Information Commissioner’s Office (ICO) reports that the majority of cyber attacks stem from basic and common security mistakes. The regulator believes that if victims felt empowered to be more transparent about their experiences, others could learn from these incidents, potentially improving overall security postures.
"People need to feel confident that organisations are doing as much as they possibly can to keep their personal information secure,” said Stephen Bonner, ICO deputy commissioner for regulatory supervision.
“While cyber attacks are growing more sophisticated, we find that many organisations are not responding accordingly and are still neglecting the very foundations of cyber security".
“As the data protection regulator, we want to support and empower organisations to get this right,” he said. “While there is no single solution to prevent cyber attacks, there is absolutely no excuse for not having the foundational controls in place. These are essential to protecting people’s personal information and we will take action, including fines, against organisations that are still not taking simple steps to secure their systems.
“If you do experience a cyber attack, we always encourage transparency as your mistakes could help another organisation to avoid a similar breach,” said Bonner.
The report highlights the five biggest causes of breaches reported to the ICO, and for seasoned cyber professionals, the list is unsurprising:
"People need to feel confident that organisations are doing as much as they possibly can to keep their personal information secure,” said Stephen Bonner, ICO deputy commissioner for regulatory supervision.
“While cyber attacks are growing more sophisticated, we find that many organisations are not responding accordingly and are still neglecting the very foundations of cyber security".
“As the data protection regulator, we want to support and empower organisations to get this right,” he said. “While there is no single solution to prevent cyber attacks, there is absolutely no excuse for not having the foundational controls in place. These are essential to protecting people’s personal information and we will take action, including fines, against organisations that are still not taking simple steps to secure their systems.
“If you do experience a cyber attack, we always encourage transparency as your mistakes could help another organisation to avoid a similar breach,” said Bonner.
The report highlights the five biggest causes of breaches reported to the ICO, and for seasoned cyber professionals, the list is unsurprising:
- Phishing emails, where users are deceived into sharing credentials, personal information, or downloading malware or ransomware;
- User errors, where settings are misconfigured, poorly implemented, not maintained, or left on default;
- Brute force attacks, where malicious actors use trial and error to guess weak usernames and password combinations;
- Supply chain attacks, where products, services, or technologies used by an business or organisation are compromised and used to infiltrate its systems.
In the “Learning from the Mistakes of Others” report, the ICO offers practical advice to help organizations better understand common security failings and take simple steps to improve their security, preventing breaches before they occur.
The report provides detailed insights into how these attacks occur, key considerations for mitigating the risk, and potential future developments in the landscape. It also includes several case studies based on the ICO’s regulatory activities.