The ICO issued a £4.4 million monetary penalty notice this week against Interserve. Interserve suffered a cyberattack as a result of breaching the GDPR.
INTERSERVE GROUP LIMITED monetary penalty notice (ico.org.uk)
It’s worth reading in full. Note particularly how, in clauses 16 and 17, the ICO explicitly draws attention to the GDPR requirements in respect of cyber security that are set out in GDPR Article 5.2 and Article 32.
Penalty notice clauses 53 and onwards explain the fault: out-of-date operating systems, inadequate end-point protection, and clause 61 specifically identifies failing to follow industry best practice as set out in ISO 27001 as a contributing factor.
Interserve failed to undertake vulnerability scanning or to do regular penetration testing (even though it had a policy that it should).
ONE of the two employees who processed the phishing email had not had data protection training (demonstrating that 100% coverage of staff awareness is essential – hackers have to succeed just once, defenders have to succeed 100% of the time).
It’s a timely demonstration that no organisation can afford to cut corners on cyber security or GDPR compliance – whatever the economic circumstance.
You could go further than that – if you do all the things that Interserve so signally failed to do, you could save yourself significant expenditure, disruption, loss of business etc.
Are you ready for your cyber attack?