The Information Commissioner’s Office (ICO) has advised SMEs to take simple steps to boost their cyber security and protect the personal information they hold, amid the growing threat of cyber attacks.

Its comes after its trend data revealed that more organisations than ever are experiencing security breaches that put people’s personal information at risk. 

Over 3,000 cyber breaches were reported to the ICO in 2023, with the retail sector accounting for 18% of the incidents. 

The ICO has published a new report which analyses data breach reports and shares lessons learnt from common security mistakes. 

The “Learning from the mistakes of others” report has practical advice to help organisations, including SMEs, to understand common security failures and take simple steps to improve their own security, preventing future data breaches before they can happen. 

The report focuses on five leading causes of cyber security breaches: 

  • Phishing – where scam messages trick the user and persuade people to share passwords or accidentally download malware.
  • Brute force attacks - where criminals use trial and error to guess username and password combinations, or encryption keys.
  • Denial of service – where criminals aim to stop the normal functioning of a website or computer network by overloading it. 
  • Errors – where security settings are misconfigured, including being poorly implemented, not maintained and or left on default settings.  
  • Supply chain attacks - where products, services, or technology you use are compromised and then used to infiltrate your own systems.

Stephen Bonner deputy commissioner – regulatory supervision at ICO explained that people need to feel confident that organisations are doing as much as they possibly can to keep their personal information secure: “While cyber attacks are growing more sophisticated, we find that many organisations are not responding accordingly and are still neglecting the very foundations of cyber security.

“As the data protection regulator, we want to support and empower organisations to get this right. If you do experience a cyber attack, we always encourage transparency as your mistakes could help another organisation to avoid a similar breach.”   

If you experience a data breach as a result of a cyber attack, you should report it to the ICO within 72 hours of becoming aware of it.