Cisco UK & Ireland Blog

Lost & Fined: Lost data is fuelling more ICO fines than ransomware

December 13, 2022

Since the pandemic our use of computers has changed radically. Hybrid working practices are here to stay. Employees are now working from the office, from home and everywhere in between. This freedom has brought many advantages, notably to people with caring responsibilities, but it is not without its downsides.

Cisco Talos is the threat intelligence and security research organisation of Cisco. As one of the largest threat intelligence organisations in the word, it is difficult for threat actors to escape our global visibility, but not every threat is necessarily malicious.

The spread of fast wireless internet access, the increase in the portability and battery life of devices have helped enable hybrid working practices and the change of employees’ use of technology. However, the data protections deployed by organisations have not necessarily kept pace. Data from the ICO reveals that organisations may be under-prioritising the risks associated with the physical security of devices.

The data reveals that 11% of all breaches reported in the last two years in the UK were due to “loss/ theft of device or data left in insecure location.” In comparison, 6% of the breaches were driven by ransomware attacks. In the past two years there has only been one ICO fine issued for a ransomware breach, whereas £26.1 million worth of ICO fines were issued due to physical theft or loss of data*.

Hybrid work inevitably risks the loss of devices in transit and the theft of devices from workplaces outside the home or office. We are all susceptible to the risk of leaving a laptop on the train or bus, no matter how conscientious or security conscious we may think we are. Human error is part of being human.

Information security needs to encompass the full lifecycle of data, including considering when (and where) data is in transit and at rest. As employees adopt hybrid working, people and devices will be moving between locations. Equally, people will choose to work from shared spaces that have not traditionally been considered as work locations, such as pubs or parks. Inevitably, some devices will be lost or stolen.

Fortunately, we can foresee these issues and deploy appropriate security protections. Laptops should be encrypted by default so that even if an attacker gains access to the device they cannot access any stored data held on the system. Additionally, keeping data in the cloud ensures that security teams can monitor and control who has access to what data and under what circumstances.

Zero-trust practices imply that users must identify themselves using multi-factor authentication. This means that even if an attacker steals an unlocked, unencrypted device they would still be unable to access confidential data because they would fail authentication checks. The visibility by security teams of access to data held in the cloud means that teams can prove that data has not been illegally accessed.

The way we are working is changing. In turn, the risks our organisations face are changing too. Considering the nature of these risks and deploying the appropriate controls and mitigations to manage these risks means that we are less likely to become part of data loss statistics. Attacks due to sophisticated, well resourced state-sponsored threat actors are always likely to lead the headlines, but we can’t ignore human nature, and the mundane inevitability that one of our users will eventually leave their laptop on the bus.

*This is based on publicly available ICO data sourced via Freedom of Information requests for the period Q4 2020 – Q4 2022 in the UK only.

Leave a comment