Yet another wake-up call for businesses
The Information Commissioner’s Office (ICO) has fined outsourcing leader Capita £14 million for a 2023 cyber attack that exposed the personal data of 6.6 million people. The breach, which affected pension records, staff files and sensitive customer data (including criminal records and financial information) was traced back to a malware infection that went uncontained for 58 hours, allowing attackers to infiltrate and exfiltrate nearly a terabyte of data.
“This could have been prevented.” – John Edwards, UK Information Commissioner.
“Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
This statement emphasises the critical shift in how cyber security is viewed – not as a technical add-on, but as a core business obligation. The ICO’s investigation revealed that Capita lacked basic protections such as privilege tiering, timely incident response and regular penetration testing. These failures weren’t just oversights, they were flagged multiple times and left unaddressed.
Cyber security is not just an IT concern
The Capita case is yet another reminder that cyber security is not just an IT issue. It’s a boardroom issue. It affects reputation, customer trust, legal liability and financial stability. Every manager, not just the CIO, must be part of the cyber security conversation.
CSG’s top 5 steps to bring cyber security into your manager’s meeting
To help your embed cyber security into your broader strategic discussions, follow these five practical steps:
1/ Add cyber security as a standing agenda item
Make it a regular part of your manager’s meeting, just like finance or operations. This ensures visibility and accountability.
2/ Review key metrics monthly
Include updates on phishing attempts, patching status, and incident response times. Use dashboards or summaries from your IT team.
3/ Discuss business impact, not just tech risks
Frame cyber security in terms of business continuity, customer trust and regulatory compliance. This helps non-technical leaders engage meaningfully.
4/ Assign ownership across departments
Cybersecurity isn’t just for IT. HR, finance and operations all handle sensitive data. Assign clear responsibilities and encourage cross-functional collaboration.
5/ Run scenario-based tabletop exercises
Simulate a breach and walk through how your team would respond. This builds preparedness and highlights gaps in your current strategy. CSG helps hundreds of businesses do this successfully to build employee awareness. Book your call today to learn more.
Capita’s £14 million fine is more than a penalty, it’s a signal. Cyber threats are constant and costly, proactive security isn’t optional, it’s essential. Businesses must move beyond reactive IT fixes and embed cyber security into their strategic DNA and we are here to help you do that.
If you’re not already discussing cybersecurity at your manager’s meeting, now is the time to start.