Lessons for businesses from the London Borough of Hackney
The London Borough of Hackney (LBoH) has been reprimanded by the Information Commissioner’s Office (ICO) following a cyber attack they suffered in October 2020.
The breach, which saw hackers access and encrypt 440,000 files, disrupted services for months and exposed sensitive data. LBoH acknowledged that the attack ‘posed a meaningful risk of harm’ to 230 data subjects.
LBoH have taken remedial steps since the attack and the ICO have, as a result of their positive actions, taken the decision to issue a reprimand rather than impose a fine. However, there are several lessons businesses can learn from this breach that will help to protect their own digital assets and customer information.
Here are five:
- Vigilance Against Dormant Accounts: One major vulnerability exploited during the attack was a dormant account with an insecure password. Therefore, regularly auditing user accounts and ensuring that any inactive accounts are disabled or removed promptly is key. Of course, weak or default passwords should be avoided at all costs.
- Timely Security Patches: The investigation revealed that LBoH failed to maintain an active security patch management system across all devices. Regularly updating software and systems to patch vulnerabilities is essential in preventing cyber attacks. Business owners should ensure they have a process, that is consistently applied, to make sure their system isn’t left outdated.
- Robust Backup Systems: Hackney’s attackers managed to delete 10% of the council’s backups before they were stopped. This underlines the need for an effective backup strategy that includes multiple backup copies stored in different locations. Businesses need to have a backup restoration process that is tested regularly to make sure it works. This ensures that, in the event of an attack, data can be restored quickly and completely.
- Response and Remediation Plans: Following the attack, LBoH engaged with national authorities like the NCSC, the NCA, and the Metropolitan Police, and took swift action to inform residents and mitigate harm. A detailed incident response plan can help business owners to respond in an organised and prompt way if they experience a data breach. The plan needs to include notifying the affected parties and engaging with cybersecurity experts to manage the aftermath of an attack.
- Continuous Improvement and Training: Since the attack, Hackney has adopted a ‘zero trust’ model and improved its processes. In the same way, business owners need to continuously evaluate and upgrade their security measures.
Employee training on recognising phishing attempts and other common threats is also straightforward to implement but can be a crucial part of your defence. Stephen Bonner, Deputy Commissioner at the ICO, emphasised the importance of avoiding simple security mistakes, noting that breaches often result from basic oversights. Proper training and regular reminders can significantly reduce the risk of these happening.
Taking these lessons seriously can help ensure your cybersecurity strategies are robust, comprehensive, and regularly updated. By doing so, you can better protect your data, avoid the costly repercussions of a cyber attack and the impact such an attach may have on customer trust.
We know it’s hard, but…
The problem with some of these recommendations is that they require a certain level of technical knowledge, or confidence, to implement. if you don’t have that knowledge, it can be hard, when you’re also juggling the day to day, to be motivated enough to make the necessary decisions.
That’s where you may need an external IT advisor who can support you.
Finding one may require an investment of time and cash, but it can be planned for and conducted on your terms. A cyber attack won’t be as convenient, and may well be enormously damaging to your business, so we’d strongly recommend making the time in advance, rather than being forced to deal with the implications later.
Business News
We send regular updates that keep clients aware of changes and suggestions on a wide range of subjects; if you’d like to receive those too, just add your details below and we’ll do the rest! We promise not to bombard you and you can unsubscribe at any time.