Employees should report any suspicious emails rather than delete them and firms must step up their vigilance against cyber-attacks in the face of a heightened threat from Russian hackers, the UK’s data watchdog has said.
John Edwards, the information commissioner, said a new era of security had begun where instead of blacking out windows, people needed to maintain vigilance over their inboxes.
Experts including the UK’s cybersecurity agency have said Russian hackers could target Britain, and the imposition of sanctions by London on Moscow has increased those fears.
Asked about the potential for a Russia-Ukraine cyber conflict spreading to the UK, Edwards said: “We have picked up on that heightened threat environment and we think it’s really important to take the opportunity to remind businesses of the importance of security over the data that they hold. This is a different era from blacking out the windows and keeping the lights off. The threats are going to come in through your inbox.”
Edwards said that outside the Ukraine conflict and the warnings it had brought of a heightened security threat, the Information Commissioner’s Office had seen a “steady and significant” increase in cyber-attacks against UK businesses over the past two years.
Between July and December last year the ICO recorded 1,345 “cybersecurity incidents”, including ransomware attacks, where assailants demand payment in cryptocurrency to decrypt a target’s computers, and phishing attacks, where the victim is tricked, often via email, into downloading malware or handing over their login details. This represented an increase of nearly 20% on the same period in 2019, according to the ICO data.
“They may be from state actors as part of an offensive or they may be organised crime or they may be some nuisance vandal hackers. It doesn’t matter. What we need to keep doing is with the NCSC [National Cyber Security Centre] and the National Crime Agency amplify the message that cybersecurity is not a question of do it once and forget it. It’s about all-the-time vigilance.”
Edwards said the ICO had yet to see warnings of Russian cyber retaliation for UK support of Ukraine come to fruition, but companies should check their cybersecurity, including reminding employees to report suspicious emails rather than just deleting them. The NCSC said before the Russian invasion began that UK firms should “build resilience and stay ahead of potential threats”.
“I haven’t seen those threats being realised,” Edwards said. “But it is a time for vigilance, for checking security settings and making sure those servers are patched and up to date, reminding staff of basic email hygiene and of scepticism to phishing attacks. And of the need of not just to curl your lip and hit delete but to notify your IT department and get these things blocked so one of your colleagues doesn’t inadvertently open the organisation to a vulnerability.”
Edwards, who was New Zealand’s privacy commissioner before moving to the UK, said companies could be exposed to penalties, which can include multimillion-pound fines, if they did not take adequate measures against attacks.
The ICO’s remit is to help ensure organisations protect people’s data while enforcing data protection regulation. “If it’s the equivalent of leaving the front door open with a whole lot of other people’s stuff inside, really for anyone to walk away with, then we’ll maybe look at the regulatory options that we have and the penalties that are available,” Edwards said.