This month, Carphone Warehouse was fined £400,000 by the Information Commissioner’s Office after the company’s failure to secure their systems led to a cyber attack. The records of millions of customers and hundreds of staff members – which included financial information – were left vulnerable to the hackers.
The fine levied was so large because: “A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
In other words, Carphone Warehouse’s duty of care to their customers was absent and the Commissioner was right to set an example.
The question then is, how can a company of this size get things so wrong? A large business with plenty of funds should not have found itself in that position – it is their responsibility to take steps to protect staff and customers.
It can be said that large organisations are more vulnerable to attack because they make more attractive targets. They may have highly visible security measures, but the rewards can be richer so hackers are prepared to spend time searching for the equivalent of a small window round the back of the building that’s been left open and forgotten about. In Carphone Warehouse’s case, this ‘open window’ was out-of-date WordPress software.
Why small businesses are easier to protect
The good news for small businesses is that because of their smaller scale, they become less vulnerable to cyberattack. Whilst the challenge of securing the infrastructure is the same as with large organisations, it is easier to find and secure all the open windows because there are fewer of them and their systems are less complex making them easier to protect.
Protecting smaller IT systems needn’t be an onerous responsibility; just implementing the pillars of Cyber Essentials is a huge step forward. It is not difficult to properly secure your infrastructure, it just takes buy-in. This is also a lot easier to achieve in smaller companies than larger ones – fewer cooks! – meaning you have an even better chance of making your systems secure.