Red Mosquito - Blog

The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers. This eye watering sum is actually far less than the original fine they faced of £183m. The ICO has reduced the fine saying they are taking the economic impact of Covid into account.  There are lessons to be learned, for businesses of all sizes, from the cyber-security weaknesses which enabled this attack to succeed.

BA was the target of a cyber-attack in 2018 but only became aware of the issue 2 months later when it was identified by an independent 3rd party. The ICO found that BA were processing personal data without having adequate security measures in place. As we all know, GDPR stipulates that organisations must have “appropriate technical and organisational measures in place” to protect data. BA ought to have identified and addressed the cyber security weaknesses. In addition, ICO investigators were seriously concerned that BA was not aware that it had been attacked. Interestingly, the weaknesses identified would most likely have been addressed by certification to the UK’s Cyber Essentials Scheme.

In BAs case some of the actions they could have taken to prevent the attack include:

· Access Control – limiting access to applications, data and tools to only that which are required to fulfil a user’s role

· Penetration Testing – undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;

· Multi Factor Authentication – protecting employee and third party accounts with multi-factor authentication.

These measures are neither complex nor expensive to implement. In fact, all would be addressed during the process of certification to Cyber Essentials. Our previous blogs give a great overview of the scheme.  Certification ensures the basic cyber-security controls are in place. Implemented corrected these would prevent the vast majority of cyber attacks. We strongly advise all of our IT Support customers in Glasgow and Edinburgh to get Cyber Essentials in place. It will protect your data and help you avoid cyber attacks & the hefty fines which may follow.

As an outsourced IT provider, we support all of our IT Support customers to ensure they have the correct cyber-security measures in place. We always recommend a multi-layered approach to cyber-security. If you would like to speak to one of our IT consultants about your cyber security needs or Cyber Essentials certification – just contact us today.