The ICO exists to empower you through information.

There is no single solution to security. The principles that are embedded in our guidance, and guidance from the NCSC, can help reduce the probability of an attack occurring or reduce its severity. However, there is no guarantee that systems and people won’t be affected. You should still document and test your plans for incident response, business continuity, and disaster recovery.

As set out in the guidance referenced within this document, if your security is breached, you must consider the nature of the information (the level of sensitivity) and the risk of harm. You must balance security against the nature of any processing, to determine if your proposed or current security measures are enough to minimise harm to people.

This review examines several case studies, but of course different organisations will have different challenges. You may need to implement different measures to those of other organisations, depending on the level of risk.

You should not benchmark yourself against other organisations, even if they appear to have a similar structure or provide similar services. You will have your own mission and objectives. You should assess your current state against your target state. The best baseline for measuring your performance is your own.

During our review, we observed that is also important to appreciate the importance of governance and ensure that resources with appropriate skills are available. The NCSC encourages boards to take a more proactive approach to overseeing cyber risks within their organisations. Bodies, such as the UK Cyber Security Council, set standards for practitioners across the sector in support of the UK Government’s National Cyber Security Strategy, to make the UK the safest place to live and work online. You must have organisational controls, in addition to physical and technical measures.

Key take aways

Our enforcement information has shown that we investigate cyber related data breaches which are often entirely avoidable.

If you have large volumes of personal information, then you must consider how to remedy or mitigate potential threats to security in your risk assessment.

We have taken enforcement action against organisations who have failed to:

  • secure external connections without multi-factor authentication (MFA);
  • log and monitor systems, and act when there is unexpected exfiltration or there are unexpected RDP connections from the internet;
  • act on alerts from endpoint protection, such as anti-malware or anti-virus. This includes when there has been successful removal of malware, as the possibility of advanced persistent threat (APT) exists;
  • use strong passwords on internal accounts or use unique passwords across multiple accounts, or both. In particular, for privileged, administrator or service accounts; and
  • mitigate against known vulnerabilities, applying critical patches within 14 days, where possible. Our information evidences breaches where organisations have failed to address known vulnerabilities for more than a year, in some cases, many years.


Further reading

Further support

The NCSC provide a free check service for UK organisations. It carries out a range of simple online checks to identify common vulnerabilities in your public-facing IT. All checks are remote, do not require you to install software, and use the same kind of publicly available information as criminals use to find easy targets.