Boards Need to Step Up To Avoid ICO Fines

Why firms without cyber resilience strategies are putting their futures on the line

If the recent £4.4m fine imposed on Interserve by the ICO has taught companies anything, it should be that understanding cyber security risks and investing in all the right tech isn’t enough to protect themselves from receiving a hefty fine.

Like many firms, Interserve weren’t ignorant to the real threat of an attack, nor were they reluctant to put the right tech in place. Where they failed was monitoring that tech and taking action when suspicious activity was flagged. They fell at the final hurdle and that cost them – big time.

Cyber attackers are growing more sophisticated by the day. They are professional, well-funded and well-networked outfits, acting worldwide and around the clock. Remaining resilient to their ever-evolving threats and staying one step ahead of the competition requires a robust strategy driven by the Board that is constantly maintained and monitored.

It’s likely that more monumental fines, like the one slapped on Interserve, will hit the headlines in future months and years. For some companies, a fine of that magnitude or less could be fatal. To optimise their resilience to cyberattack threats, Boards must wise up to the fact that investing in cyber security tech does not mean job done. The vital part in a successful cyber strategy, which is still missing in all too many companies, is a [Security Operations Centre (SOC) service] ( - experts who know how to monitor the tech, interpret the data and what to do when an alert is flagged.

Having all the tools but lacking a SOC service is only going halfway to protecting your organisation — which, in today’s cyber threat environment, isn’t nearly far enough. A SOC provided by a trustworthy and reliable supplier means the difference between being vulnerable or being resilient to cyberattacks.

The [Financial Times] ( recently published the results of a survey by MIT Sloan and Proofpoint, a California cybersecurity company, which showed that CISOs’ biggest fears if hit by a cyberattack were downtime and operational disruptions. Board members’ biggest fears, on the other hand, were data being made public, reputational damage and revenue loss.

All these fears are well-founded, but what about the potentially devastating effects of being fined? Not to mention the cost of cyber insurance after a fine has been imposed. And then there’s losing out to competitors because your lack of a SOC service makes you uncompliant. Need we go on?

Understand the risks — of course. Invest in the right tech — yes, absolutely. Make sure your cyber strategy includes a SOC service — it’s essential.

Those who don’t value this third but fundamental step of putting a SOC service in place, are not only vulnerable to cyberattacks; they’re also running the risk of becoming uncompliant, uncompetitive and in turn, missing out on business.

Far from being an optional nice-to-have, a SOC service done well is a necessity. It completes the cyber strategy circle, and gives those who understand the need for it, significant business savings and a competitive advantage not to be under-estimated.

Written on January 5, 2023