The head of the U.K. Information Commissioner’s Office (ICO) warned companies not to ignore “crucial measures” to prevent cyber incidents following the regulator’s decision to fine construction firm Interserve 4.4 million pounds (U.S. $5 million) for failing to secure employee personal information.

“The biggest cyber risk businesses face is not from hackers outside of their company but from complacency within their company,” said U.K. Information Commissioner John Edwards in a news release Monday. He added organizations are leaving themselves vulnerable to cyberattacks by ignoring simple measures like updating software and training staff.

“If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office,” said Edwards.

The ICO determined Interserve breached the U.K. General Data Protection Regulation (GDPR) by failing to keep the personal information of its 113,000 staff secure when it suffered a ransomware attack. Between March 2019 and December 2020, the ICO said the company, which is in the process of being broken up, failed to take appropriate technical and organizational measures to protect personal data.

The breach originated when an Interserve employee forwarded a phishing email, which was not blocked by the company’s IT system, to another employee who downloaded its content, thereby installing malware on the workstation.

“The biggest cyber risk businesses face is not from hackers outside of their company but from complacency within their company.”

John Edwards, U.K. Information Commissioner

The company’s anti-virus software quarantined the malware and sent an alert, but Interserve failed to investigate the matter and was unaware the attacker still had access to its systems, the ICO said. The regulator found Interserve used outdated—even end-of-life—software systems and protocols and had a lack of adequate staff training and insufficient risk assessments, which left it vulnerable.

“Interserve ought reasonably to have been aware of the risks posed by running outdated support systems, in particular in circumstances where the risks … were well-known and documented (and) … senior management were aware of historic and legacy issues within the IT estate,” the ICO said.

As a result of these alleged failings, an attacker in 2020 compromised 283 Interserve systems and 16 accounts across four domains and uninstalled the company’s anti-virus solution. The attacker also encrypted the personal data of the 113,000 current and former employees. This information included contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of disabilities, sexual orientation, and health data.

In April, the ICO issued Interserve a notice of intent, which allowed it to make representations to reduce the £4.4 million provisional fine.

In recent years, companies such as British Airways and Marriott International have been able to successfully push for substantial cuts to their original fines—nearly 90 percent in the case of BA. Despite acknowledging improvements Interserve has since made to its security standards, the ICO did not reduce the fine.

Interserve said it “strongly disputes” the ICO’s finding it was complacent.

“As the ICO recognizes in its monetary penalty notice, Interserve took extensive steps to resolve the incident, engaging leading cyber response companies, and made significant investments across its operating companies to mitigate the potential impacts of the cyber incident on its past and present staff,” the company said in an emailed statement. It added the ICO’s investigation “has not followed a fair and proper process.”

It is considering an appeal.