“The UK Information Commissioner’s Office (ICO, the data protection and information rights regulator) today announced its intention to fine the Advanced Computer Group £6.09 million” – Security Week
What happened?
The above announcement is in response to a ransomware attack on the National Health Service (NHS) in August 2022. This attack led to the exfiltration of personal details of nearly 83,000 patients and disrupted many non-emergency call services. As part of this breach, information on how to access the homes of nearly 900 patients receiving home care was taken.
The ICO publicized its intention to fine to highlight the serious failure of Advanced Computer Group’s approach to information security.
Three key takeaways.
- Supply Chain / IT Service Providers: Companies must do their research and assess third party vendors prior to signing a contract. The IT service provider in this case was not following simple IT practices and therefore resulted in the exfiltration of sensitive data. One should prepare standardized questions when researching new products or vendors to ensure they meet minimum compliance requirements.
- Compliance: There are numerous frameworks out there that provide security recommendations on how to best secure your IT systems and data. Choose one and go with it. The NIST 800-53, NIST 800-171, ISO/IEC 27001, CIS Controls, SOC 2, or GDPR amongst others. They are similar and provide baseline configurations to secure your information.
- Multi-factor authentication (MFA): MFA is critical and significantly enhances the security of your account. If it’s not already a requirement at your organization, it should be. If it’s not a requirement at your financial institution, enable it immediately. If an attacker steals your credentials, they will still need the additional authentication factor (i.e., code sent to your phone) to gain access.
Need help strengthening your cyber defenses? I can help! Feel free to reach out to me: https://danielelice.com/contact/
Daniel Elice 
Leave a comment