How Not to Get Fined £98k...
Mark Dodds
Professional services IT support partner and expert | Co-Owner - Compex IT | Managed IT support | Data Security | Microsoft 365. Over 50 5 ? Google reviews
The reason for this 3 Minute Thursday is to hopefully make people aware that cyber-attacks don't just happen to multi-national businesses like British Airways, Garmin etc...it also happens to small businesses. I truly believe this is what most small businesses feel....like that it only happens to the "big boys"
It couldn't be further from the truth...it's just not in the media.
Take Tuckers Solicitors last week, a criminal law firm with offices across southern England, the northwest, and Midlands who were fined £98,000 by the Information Commissioner (ICO) after being breached with ransomware (where your data is encrypted) which enabled the bad guys to steal very sensitive information on a number of court cases.
A few excerpts from the 44-page ICO report....
£98,000... ??
Some of the data taken were personal data, medical files, witness statements and names/addresses of witnesses and victims, was then posted in underground data marketplaces.
So, What went wrong?
There were 3 main things, which, in my opinion, are IT security basics....
1.???Lack of Multi-Factor Authentication
The firm had not used multi-factor authentication for remote access to its systems.
The ICO said this extra protection was a ‘comparably low-cost preventative measure which Tuckers should have implemented’, which would have substantially increased the difficulty of an attacker entering its network.
“The exploitation of a single username and password is a common exploitation method and is likely to be one of two possible entry methods into the Tuckers network.”
Excerpt from the ICO report:
2. ??Lack of updates
There was a known system vulnerability that could have been used; a patch had been released for it in January 2020 but Tuckers only applied it that June 2020.
领英推荐
3. ?Lack of data encryption
Tuckers admitted to investigators that personal data stored on the archive server subject to the attack had not been encrypted as a precaution. This might not have prevented the attack but would have mitigated the risk posed.
What can you do as a firm to mitigate this kind of attack and avoid a hefty fine?
For Tuckers Solicitors, with no Multi-Factor Authentication and an unpatched vulnerability, it most likely would have been relatively easy for the bad guys to get into their system.
So, what can you do?
Well, firstly, there's no silver bullet when it comes to keeping your data safe. The only real way is to implement multi-layered security into the business...
Firstly, there's the low hanging fruit:
These 2 don't cost you a penny!!!!
The additional layers I suggest to our clients tend be the following:
Finally...
Hats off to Tuckers Solicitors for actually reporting this breach as I believe many businesses would have covered it up!!
By creating a layered approach to recovery, you’re effectively reducing the impact of any ransomware attack. The sooner you can get your business back up and running, the less money you’ll lose and damage you’ll suffer. And your customers are less likely to lose faith in you.
Further info about the Tuckers Solicitors breach can be found on the ICO website: https://ico.org.uk/action-weve-taken/enforcement/tuckers-solicitors-llp-mpn/
Transform Your LinkedIn? Success: AI Pragmatist. Elevate Your Brand, Unlock Opportunity, Build Authority and Drive Growth. LinkedIn? Trainer, Speaker, Mentor and Consultant for 12 years. Chair of CFFC
3 年Sage advice Mark, thanks for sharing ????