As a starter, Interserve will have to purchase identity theft software protection for each employee for a few years. Assume 113,000 x £300 = £33.9m, and you start to get a sense of how much money has gone down the drain. And there’s no chance that the insurers will pick up the bill. Any insurance policy will specify that the company must apply at least basic IT standards. Interserve didn’t manage even that.
Its operating systems were so old they were out of support, it did not fully enable endpoint protection, it had not carried out penetration testing for two years, it had 280 users with admin rights (way in excess of what is considered good practice), and so on. What makes the whole thing even more risible is that, while Interserve’s practical administration of its IT systems was abject, at the level of theory it reached Olympic standard.
According to the ICO, Interserve had adopted the following IT policies: (i) System Management Policy, (ii) Information Security Training Policy, (iii) Threat and Vulnerability Management Policy, (iv) System Management Standard, (v) Network Management Standard, (vi) Technical Security Infrastructure Standard, (vii) Incident Management Standard, (viii) Threat and Vulnerability Management Standard, (ix) Access Control Standard and (x) Ransomware Incident Response Guidelines.
A textbook case of all knickers and no elastic. And £40mn down the drain.