The ICO exists to empower you through information.

In 2014, we published the “Protecting personal data in online services: learning from mistakes of others” paper. Over the last decade more of our personal information has moved into the digital world and we have continued to empower people and organisations to improve their security by issuing up-to-date guidance and advice.

The General Data Protection Regulation (GDPR), updated Data Protection Act 2018 (DPA), and the proposed Data Protection and Digital Information (DPDI) Bill are still based around the same eight principles of “good information handling”. These provide an overview of people’s specific rights about their personal information and organisations’ obligations when they are processing it. The Network and Information Systems (NIS) Regulations also require Operators of essential services (OES) and relevant digital service providers (RDSPs) to implement security measures.

There is a large amount of guidance from different sources around security and this can sometimes make it difficult to know which guidance to rely on. We recognise that the National Cyber Security Centre (NCSC) is the technical authority on cyber security in the UK. We have drawn upon their existing resources to highlight the most significant threats to securing information and safeguarding of people.

Cyber security is a crucial part of protecting information and it is important to note that security breaches frequently lead to information breaches. If personal information is at risk, you may need to report the breach to us within 72 hours.

Ten years on from our original publication, our security incident trend information shows cyber threats not only continue to exist but increase year-on-year. We aim to ‘empower and inform’ organisations, and this review intends to support you in improving your knowledge of common security pitfalls. We believe that better transparency benefits not only specific organisations but society. So with that in mind, we want organisations to learn from the mistakes of others by understanding what common security control failures led to breaches. This should help you to put mitigating controls in place or take preventative measures before you experience your own breach.

We have summarised several case studies from our regulatory activities to illustrate some commonly encountered issues and highlight where lessons might be learnt. These are not a full representation of the case and we have linked to the relevant monetary penalty notice or reprimand for further information.

Whilst ransomware remains one of the top incident type categories, we have already provided comprehensive guidance for it. Therefore, this review will focus on other main causes of security breaches:

  • Phishing
  • Brute force attacks
  • Denial of service
  • Errors
  • Supply chain attacks

This guide summarises:

  • what each of these attack types are;
  • how they take place;
  • some key principles to consider when trying to mitigate or reduce the level of harm from a security breach, based on our review; and
  • possible developments that might impact these categories in the future.

There are no silver bullets for information security. You should consider the nature of your activities when deciding what is appropriate for your organisation, Getting the correct foundational controls in place is key, as well as ensuring that you take a layered approach to your security. Therefore, if one control fails, there is another mitigating control in place.

Further reading

Further reading:

An overview of the main legal provisions and relevant guidance:

Who is this aimed at?

This review might help you gain insights but is not intended as guidance. It is aimed at someone who is responsible for compliance with data protection legislation, or for managing information security, or both. It is primarily focused on organisational security. However, where applicable, we do also mention what we found in our review about steps which people might take for their own security. This review assumes a basic level of knowledge, it does not replace any of our existing guidance or technical guidance from the NCSC, which is referred to throughout.