Last month, the Information Commissioner’s Office (ICO) published its report on “Learning from the mistakes of others” (the ICO Report). The ICO Report, collated using actual data breach reports made to the ICO, delves into the most common information security issues – and how best to avoid them.

The ICO received over 3,000 cyber breach reports in 2023 – with the most intense activity being in the finance, retail and education sectors. 2024 has also seen increased activity in this space. From May 2022 to May 2023, 25.9% of data breaches reported to the ICO were cyber related. This figure rose to 32.5% in the same period the following year, representing a 6.6% increase for cyber related breaches. As we look forward to the rest of 2024 and beyond, it is expected that these numbers will only continue to rise as cyber attacks become more varied and sophisticated.

So, according to the ICO, what are the most common causes of security breach and how do you avoid them?

What is it? ‘Malware’ is malicious software with intent to disrupt, damage or access computer systems. According to the ICO Report, malware attacks are growing year on year with the most common employing ransomware – a form of malware used by criminals that involves encrypting an organisation’s files to prevent access by anyone within the organisation. Malware is most prevalent via phishing emails or through the exploitation of vulnerabilities in remote desktop software.

How best to protect against it? Multi-factor authentication; frequent security training for staff; regular testing of response and recovery plans.

What is it? Phishing involves attackers deceiving individuals into carrying out an action that benefits the attacker (to the detriment of the individual and/or organisation in question). This includes sending sensitive information or money to the attacker, or clicking a link from the attacker that adds a virus to a computer which could then potentially infect an organisation’s entire network infrastructure. This is done commonly via email, text or phone call – relying on the individual believing the attacker’s message is genuine. The Department for Science, Innovation & Technology, as part of its 2024 cybersecurity breaches survey, stated that 56% of businesses that reported breaches in the past year identified phishing attacks as the most disruptive for organisations. This survey also showed that phishing attacks are on the rise (79% in 2023-24, compared with 72% in 2017).

 

How best to protect against it? Train staff to be wary of opening or clicking on content in emails from unfamiliar senders; anti-spoofing controls to prevent attackers from imitating your organisation’s network domain.

What is it? Attackers will attempt to guess usernames and passwords through trial and error of different combination attempts. A wide range of techniques are used by attackers, including using artificial intelligence (AI) to try many combinations in a short period of time, or using common phrases or known passwords to systematically gain unauthorised access. A recent digital defence report by Microsoft indicated that it experienced 11,000 brute force attacks per second in April 2023 alone.

 

How best to protect against it? Avoid passwords containing relevant or personal information; unique passwords for different accounts; CAPTCHA to mitigate against automated password guessing attempts; disable unused accounts.

What is it? A DoS attack will look to prevent a website or network from working as intended, overloading the system to create extreme levels of network traffic. This can also take the form of a distributed denial of service (DDoS) attack, which still overloads the system but from multiple connected devices, making the attack much harder to stop and/or maintain. Usually, an attacker will carry out a DoS attack for monetary gain or social or political reasons. Indications of a DoS attack include exceptionally slow network speeds, website pages not loading, or loss of connectivity. The Financial Conduct Authority (FCA) has reported that DDoS attacks accounted for 25% of hacking incidents reported to the FCA in the first 6 months of 2022, compared to just 4% in the same timeframe in 2021.

 

How best to protect against it? Implement services that can recognise legitimate increases in network traffic versus irregularities from possible attacks; regularly check firewalls and routers to ensure they are properly configured; frequently test business continuity and disaster plans.

What is it? An organisation is attacked via compromised products or services provided to them by a supplier – leading to a potential breach of an organisations systems. It shows the dangers of trusting third party suppliers without appropriate due diligence.

 

How best to protect against it? Implement a supply chain risk management programme to review, monitor, and manage systems and processes throughout an organisations supply chain; be fully aware of what information is shared with suppliers and how it is processed; carry out proper due diligence on potential new suppliers to ensure they have appropriate security measures; regularly review/audit existing suppliers.

How likely is this? The ICO Report reinforces the role humans themselves play in facilitating an attack or breach through failing to act or carrying out an action incorrectly. A 2023 Verizon data breach report indicated that 74% of all beaches involve a human element (including for all types of attacks we have already outlined above). The ICO Report also identifies how misconfigurations by humans are some of the most damaging errors causing data breaches. This includes security configurations that are poorly maintained or setup inaccurately (for example, leaving security controls on default as opposed to adapting the settings to the organisation’s needs). Misconfigurations can give attackers the opportunity to access systems and servers, disable poorly kept security controls and exfiltrate data with little resistance. 

How best to protect against it? Adopt a security by design approach; test security procedures before they are added to live environments; educate staff on why mistakes happen and how best to manage controls; multiple quality control checks and security approval systems involving at least two people; act on system warnings or required updates and fixes as soon as possible.

 

Looking forward - what this means for you

There is a growing need for organisations to take information security more seriously. It is becoming increasingly apparent that ‘generic’ advice and solutions will not be sufficient – organisations need to truly understand their own specific information security weaknesses and act accordingly to address those weaknesses and reinforce their protection as soon as possible.

It is also important to recognise that methods of cyber attacks are constantly evolving and developing – and organisations need to ensure they evolve to respond accordingly. For example, the threat of phishing emails will continue to rise as AI develops – large language models, such as Chat GPT, are being used to facilitate phishing scams (reducing issues such as poor spelling/grammar), while there has also been an increase in the use of voice cloning and ‘deepfake’ videos to replicate individuals known to the attacker’s target. Brute Force attacks are also seeing new technologies developed which can bypass fingerprint passwords by exploiting weaknesses in the smartphone fingerprint authentication framework.

Every coin has two sides. AI and machine learning are also being relied upon to improve defences from cyber attacks. For example, machine learning is now used to learn network traffic patterns to detect anomalies with traffic frequency – and, therefore, react quickly to a DoS attack. It is imperative for organisations to keep abreast of these developments so there is a clear understanding of what new issues they may face, and what innovative solutions might mitigate the threats posed by a cyber attack.

In the meantime, the ICO Report highlights a handful of clear actions to prevent organisations falling into the trap of what the ICO describes as “entirely avoidable” cyber related data breaches:

  • use multi-factor authentication to secure external connections;

  • monitor systems and act when unusual/unexpected activity is identified;

  • use strong and unique passwords on internal accounts – particularly for privileged or admin accounts;

  • properly audit cybersecurity defences and remedy any known weaknesses as soon as possible (and within 14 days for any critical gaps that require patches); and

  • act on alerts received from endpoint protection software (anti-malware/virus), and conduct further checks after any malware has been removed.

If you would like to discuss any of the topics mentioned in this article, please do get in touch with our team.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2024. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Written by

Junior Mbulu

Date published

10 June 2024

Get in touch

RELATED INSIGHTS AND EVENTS

View all