Cyber security news roundup: January

We're rounding up some of the biggest cyber security stories of the past few weeks. In January, ransomware attacks continued to make headlines, more companies faced huge bills as a result of cyber security failures, and research highlighted the need to close the IT skills gap. 

Hackers publish stolen govt agency files after ransomware payment refused

Ransomware continues to be a major concern for many businesses, with several organisations this month facing threats from hackers. Among these was the Scottish Environmental Protection Agency (Sepa), which is still struggling with disruption following a ransomware attack on Christmas Eve that saw 1.2GB of data compromised.

The government agency confirmed it had refused to engage with the hackers, and as a result, more than 4,000 files including contracts and strategy documents were publicly released.

Terry A'Hearn, chief executive of Sepa, said: "We've been clear that we won't use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds."

Elsewhere, insurance providers denied they were encouraging the use of ransomware attacks by continuing to pay out to affected companies, after one expert warned these providers were "funding organised crime" by accepting such claims.

GDPR fines increase as regulators crack down on breaches

The costs of failing to adequately protect digital assets from hackers is continuing to rise, as new figures have indicated financial penalties for breaches of GDPR regulations are on the increase.

Research by law firm DLA Piper found that in the last 12 months, the EU has issued around €158.5 million (£140.43 million) in financial penalties to firms that breached these rules. This marked a 39 per cent increase on the previous 20-month period, while across the same time period, the number of breaches reported rose by 19 per cent, with 331 notifications per day since 28 January 2020.

While several of the largest and most high-profile fines have been reduced or overturned on appeal, this continues to highlight the severe repercussions firms can face if they do not focus on their cyber security defences.

Smaller IT teams 'overwhelmed' by cyber attacks

Businesses that rely on small IT security teams are struggling to keep pace with the increased number and severity of cyber attacks they face, research has found.

A Cynet study of 200 CISOs at firms with five or fewer security staff members and cybersecurity budgets of $1 million or less found the majority of these say they are being "overwhelmed" by these threats. As a result, 100 per cent of these businesses are outsourcing at least some of their security efforts to external providers.

Smaller companies are often facing the same advanced threats as their larger counterparts, the study showed, but do not have the resources to defend themselves. For instance, 57 per cent of firms indicated they do not have enough skilled and experienced staff needed to protect against cyber attacks.

BA could pay up to £3bn in compensation for data breach

The fallout from British Airways' (BA's) 2018 data breach continues to be felt, with the firm facing a potentially huge bill for compensation as thousands of affected customers join a class-action lawsuit against the airline.

Around 400,000 customers were affected by the incident, which involved the injection of malicious code into the firm's website to harvest payment details of those who booked flights online. So far, more than 16,000 have joined the case ahead of a March deadline.

The firm had initially been fined a record £183 million over the breach by the Information Commissioner's Office, though this was reduced to £20 million in October 2020. However, lawyers have suggested the firm could be forced to pay around £2,000 per customer in compensation, which would leave BA on the hook for the largest ever UK group claim over a data breach.

Women set to help close IT cyber security skills shortage

Talent shortages in the cyber security sector remain acute, with one study by (ISC)2 finding 22 per cent of companies reported a significant shortage of dedicated cyber security staff between April and June 2020.

However, several cyber security analysts have stated a good way to tackle this will be to focus on encouraging more women to join the profession. To do this, firms must tackle some of the popular misconceptions about these roles and work harder to retain professionals.

Emily Stapf, US cyber security leader at PwC, told the Financial Times: "There is plenty of talent, but companies need to create a culture and opportunities to keep the few women they have."

She also added firms should focus on the different perspectives female candidates can bring to roles. Ms Stapf added: "Many women have a risk management mindset, think differently about balancing tasks and are able to sort through the noise to identify a threat. Those skills are essential."