How Not to Get Fined £98k...

How Not to Get Fined £98k...

The reason for this 3 Minute Thursday is to hopefully make people aware that cyber-attacks don't just happen to multi-national businesses like British Airways, Garmin etc...it also happens to small businesses. I truly believe this is what most small businesses feel....like that it only happens to the "big boys"

It couldn't be further from the truth...it's just not in the media.

Take Tuckers Solicitors last week, a criminal law firm with offices across southern England, the northwest, and Midlands who were fined £98,000 by the Information Commissioner (ICO) after being breached with ransomware (where your data is encrypted) which enabled the bad guys to steal very sensitive information on a number of court cases.

A few excerpts from the 44-page ICO report....

No alt text provided for this image

£98,000... ??

No alt text provided for this image

Some of the data taken were personal data, medical files, witness statements and names/addresses of witnesses and victims, was then posted in underground data marketplaces.

No alt text provided for this image

  • In deciding to issue a fine, the ICO said “this personal data breach occurred due to a criminal and malicious cyber-attack that exploited negligent security practices”.
  • In deciding the level of fine, the ICO said an aggravating factor was Tuckers’ failure to meet various standards set out by the SRA (Solicitors Regulation Authority) in its code of conduct.

So, What went wrong?

There were 3 main things, which, in my opinion, are IT security basics....

1.???Lack of Multi-Factor Authentication

The firm had not used multi-factor authentication for remote access to its systems.

The ICO said this extra protection was a ‘comparably low-cost preventative measure which Tuckers should have implemented’, which would have substantially increased the difficulty of an attacker entering its network.

“The exploitation of a single username and password is a common exploitation method and is likely to be one of two possible entry methods into the Tuckers network.”        

Excerpt from the ICO report:

No alt text provided for this image

2. ??Lack of updates

There was a known system vulnerability that could have been used; a patch had been released for it in January 2020 but Tuckers only applied it that June 2020.

No alt text provided for this image

3. ?Lack of data encryption

Tuckers admitted to investigators that personal data stored on the archive server subject to the attack had not been encrypted as a precaution. This might not have prevented the attack but would have mitigated the risk posed.

No alt text provided for this image

What can you do as a firm to mitigate this kind of attack and avoid a hefty fine?

For Tuckers Solicitors, with no Multi-Factor Authentication and an unpatched vulnerability, it most likely would have been relatively easy for the bad guys to get into their system.

So, what can you do?

Well, firstly, there's no silver bullet when it comes to keeping your data safe. The only real way is to implement multi-layered security into the business...

No alt text provided for this image

Firstly, there's the low hanging fruit:

  • Two-factor authentication
  • Encrypting your computer (you need Windows Pro version to be able to do this)

These 2 don't cost you a penny!!!!

The additional layers I suggest to our clients tend be the following:

  • Appropriate security software on your devices built to protect against the latest threats
  • A business-grade firewall that’s effectively-maintained and monitored
  • Enterprise-level email security
  • Real-time monitoring of your Microsoft 365 system
  • Making sure all devices are being kept up to date with the latest updates
  • A resilient backup strategy...one where you actually know if your data can be restored!
  • Password management
  • User awareness training

Finally...

Hats off to Tuckers Solicitors for actually reporting this breach as I believe many businesses would have covered it up!!

By creating a layered approach to recovery, you’re effectively reducing the impact of any ransomware attack. The sooner you can get your business back up and running, the less money you’ll lose and damage you’ll suffer. And your customers are less likely to lose faith in you.


Further info about the Tuckers Solicitors breach can be found on the ICO website: https://ico.org.uk/action-weve-taken/enforcement/tuckers-solicitors-llp-mpn/

Nigel Cliffe

Transform Your LinkedIn? Success: AI Pragmatist. Elevate Your Brand, Unlock Opportunity, Build Authority and Drive Growth. LinkedIn? Trainer, Speaker, Mentor and Consultant for 12 years. Chair of CFFC

3 年

Sage advice Mark, thanks for sharing ????

要查看或添加评论,请登录

Mark Dodds的更多文章

社区洞察

其他会员也浏览了