SME business should now be alert to the fact that fines are being issued to companies who fail to meet cyber risk and cyber security risk protection legislation.
Recently the Information Commissioners Office released a fine of £60,000 to UK company Boomerang Video Ltd who failed to comply in securely operating their business website, when 26,331 encrypted cardholder’s details and CVV numbers were accessed through a WordPress area of the website. Careless basic passwords were used to protect the area, based on a dictionary word relating to the company’s name and within the page area there was a coding error which allowed a hacker to gain access through an SQL injection.
The ICO found in its investigation, several reasons as to how Boomerang Video Ltd had operated inadequately, including lacking to carry out regular tests on the website, failing to use strong passwords, lapsing to encrypt highly secure information, failure to keep the decryption key secure; in addition, cardholders details were stored on the server which were no longer required.
The ICO has made this an example to other businesses and has warned of the importance and severity of the responsibility by which companies must protect data securely.
Businesses are not up to scratch with cyber security risk protection
This comes at a time when statistics reveal that SME businesses are still not up to scratch when it comes to cyber security risk, with several businesses failing to meet standard requirements in terms of cyber risk.
The consensus is that Directors and Departmental Managers need to take responsibility to train staff and protect systems. Running up to date software, complex password protection, good quality firewalls and patching networks are just some of the steps to create a more secure environment for staff and customers to work in.
For further information on cyber risk and cyber security and to cover cyber security risk within your business please contact our cyber security insurance team. By defining your day to day activities within your business and the IT equipment used within your business processes we can define the correct type of cyber security risk insurance cover.
Blogs used to write this article: