UK's NCSC and ICO encourage greater transparency around cyber attacks

It seems that cyber attacks, particularly through the use of ransomware, continue to pose a serious threat to UK businesses. It was recently reported in The Guardian that ransomware payments have almost doubled to $1.5 million (£1.2 million), with British cybersecurity firm, Sophos, apparently finding that the average ransomware payment rose from $812,000 since the previous year.

Ransomware is a particular kind of malware that renders systems, devices and data stored on them unusable, usually through encryption. Victims of ransomware attacks are asked to make payments to the bad actors who deployed the ransomware in exchange for the decryption of the relevant files and the unlocking of the relevant systems and devices. There may also be threats by cyber criminals to leak any stolen data.

Despite the UK Government discouraging the payment of ransom demands by organisations which find themselves subject to ransomware attacks, Sophos also found that the average ransomware-related payment made by UK organisations in 2023 was apparently higher than the global average at $2.1 million, with the most wealthy organisations appearing to be both the most likely to be targeted and also more likely to pay higher ransom demands.

In view of this situation, it is perhaps unsurprising that this remains an area of focus for both the UK National Cyber Security Centre (NCSC) and also the UK Information Commissioner's Office (ICO).  In a recent blog post, the NCSC and the ICO considered certain issues that can arise when cyber attacks, especially ransomware attacks, are not reported, encouraged greater transparency around cyber attacks and myth-busted certain misunderstandings around how businesses respond to such attacks.

The first myth that the blog considers is "If I cover up the attack, everything will be okay".  The NCSC and the ICO observe that successful cyber attacks that go unreported, without any information sharing or investigations, mean that similar attacks are more likely, as no-one learns from such unreported attacks and that bad actors are encouraged in their criminal endeavours. The blog highlights certain secure and trusted ways to share information about cyber attacks, such as CISP (Connect Inform Share Protect), a platform for UK cyber security professionals to collaborate on cyber threat information confidentially and securely.

The second myth discussed is: "Reporting to the authorities makes it more likely your incident will go public".  The blog highlights that reporting cyber attacks to the NCSC or law enforcement means that impacted organisations can access considerable support, noting that NCSC Incident Management provides direct support to impacted organisations where there is a national impact and can assist with management of such incidents.  

The blog stresses that NCSC Incident Management respects the confidentiality of affected organisations and does not take steps to make information public, or disclose it to regulators, without the relevant organisation's consent.  It also observes that the NCSC facilitates a great deal of communications support to assist organisations in addressing incidents and, although the NCSC favours transparency when cyber incidents arise, in the end the choice of whether or not to be open is the targeted organisation's decision.

The ICO notes that, being the regulator, it provides support and guidance to organisations processing personal data in addition to enforcing applicable data protection rules.  Immediately after incidents occur, it is stressed that the ICO does not disclose details other than to confirm whether personal data breach incidents have been reported to it, but that organisations should always consider whether they are obliged by applicable data protection regulations to report a breach.  The blog observes that, where details of incidents do need to be publicised, the ICO will typically discuss this with the impacted organisation.

The question of how motivated organisations are in respect of obtaining the correct support, including liaising with the NCSC and actioning any advice received, is also considered by the ICO when considering its regulatory approach to data breach incidents. The blog suggests that organisations that have cooperated proactively may save money regarding any fines that are issued.

Another myth dispelled by the blog is that: "Paying a ransom makes the incident go away".  It is noted that this is not always the case for various reasons, including the fact that decrypting encrypted data can take a long time and be difficult to achieve and also the fact that paying a ransom involves trusting that the cyber criminals will be as good as their word, which obviously is uncertain (many organisations impacted by ransomware go on to be attacked on other occasions).  Paying ransom demands also encourages bad actors to attack others, allows them to profit from their criminal behaviour and, from the ICO's perspective, does not minimise the risk to data subjects' rights.

The NCSC emphasises that, even if ultimately organisations decide to accede to ransom demands, such organisations should remain in contact with the NCSC so that incidents can be understood and vulnerabilities in systems addressed.

The NCSC and the ICO also disagree with the myth: "I've got good offline backups, I won't need to pay a ransom", highlighting the fact that, if cyber criminals can access sensitive data, they could threaten to leak it unless a ransom is paid.  It is also noted that organisations which process personal data are obliged to keep such data secure by applicable data protection law.

The assumption that: "If there is no evidence of data theft, you don't need to report it to the ICO" is also challenged, with the blog emphasising that, if there is a suspicion that cyber criminals have accessed systems where personal data is stored, it should be presumed that such data has been stolen.  The NCSC suggests that transparent dialogue and asking for help at an early stage can help to minimise the possibility of discovering data leaks in the future, while the ICO underlines the fact that organisations are obliged by applicable data protection and cyber security legislation to report incidents in certain circumstances.

The final myth discussed is: "You'll only get a fine if your data is leaked", which is a message often repeated by cyber criminals.  Again, this is not always true. Personal data breaches can involve more than data loss alone and can include data alteration, destruction, or unauthorised disclosure of or access to data.

The ICO recognises that proactively assisting organisations to make their data protection practices more robust is the best way to protect data, but inadequate or inappropriate data protection practices may result in enforcement action.  However, any enforcement action may be mitigated by an organisation's response to a breach and willingness to follow any guidance provided by the NCSC.

Clearly, both the NCSC and the ICO see many positives for organisations in greater transparency regarding cyber attacks that they may suffer and requesting help to mitigate the impact that such attacks can have early on.  Although historically it may have been difficult to persuade organisations of the benefits of disclosing the details of successful cyber incidents and (at least to some extent) the vulnerabilities in respect of their systems and processes that had contributed to them, hopefully dispelling some commonly held misconceptions and shining a light on the long-term advantages for all that increased openness in respect of these issues could bring will encourage change.