End-of-Life Systems Heighten Cyber Attack Risk
Is your company software out-of-date? If so, your business may be exposed to a significant risk of cyber-attack, not to mention a huge fine and reputational damage. Nothing lives for ever – and allowing software to go beyond its ‘end-of-life’ date should not happen if robust procedures are in place.
The Information Commissioner’s Office (ICO) recently imposed a £4.4m fine on construction and support services giant, Interserve Group, for major data protection breaches stemming partly from out-of-date software. The information compromised was personal information of company staff.
Interserve’s systems had failed to block or quarantine a phishing email sent to an employee at Interserve Construction Ltd, who sent it on to a colleague. The colleague opened it and malware was installed on their workstation, giving the cyber attacker access to the company systems and information.
The malware itself was quarantined but the company’s information security team did not properly investigate when it received an alert; and Interserve took no further action at the time to verify that all malware had been removed. The attacker still had access to the employee's workstation, launched a series of attacks and uninstalled the company’s anti-virus solution – with the result that the personal data of around 113,000 current or former employees was encrypted and rendered unavailable (this included special category data).
End of life
A key issue the ICO identified related to Interserve’s unsupported operating systems which had gone beyond their end-of-life date and were therefore no longer subject to security updates fixing known vulnerabilities. The company ought to have known of the risks of running outdated systems and had not done formal risk assessments on using unsupported operating systems on its data processing servers.
Also, there was no appropriate endpoint protection (ie of laptops, mobile devices, desktops); no evidence of penetration testing in the two years before the data breach; and one of the two recipients of the phishing email had not even had data protection training.
What does this mean?
It’s easy to read about regulatory sanctions imposed on other companies and fail to notice the risks on your own doorstep. These incidents should always prompt businesses to carefully review their existing policies and procedures to ensure they are robust and fit for purpose - and take steps to minimise any risks identified.
Having token security measures in place is insufficient (Interserve did have some security measures in place but these were described as ‘negligent’ by the ICO). Businesses should have a GDPR-compliant information security programme.
The ICO describes this as a set of technical and organisational measures which ensure a level of security appropriate to the known risks, “taking into account the state of the art, costs of implementation and the nature, scope, context and purpose of the processing it performs”.
For Interserve, the failure to implement such measures exposed employees’ personal data to serious risks. Businesses – take note and act!
If you would like us to cover an issue in the next NGM Tax Law Newsletter, we would be pleased to hear from you