If I cover up the attack, everything will be ok. Reporting to the authorities makes it more likely your incident will go public. Paying a ransom makes the incident go away. I’ve got good offline backups, I won’t need to pay a ransom. If there is no evidence of data theft, you don’t need to report to the ICO. You’ll only get a fine if your data is leaked. These are six ‘myths’ which the UK’s National Cyber Security Centre (NCSC) and the data protection regulator the ICO have identified as commonly held by organisations that have fallen victim to cyber incidents.
A blog post is by Eleanor Fairford, Deputy Director of Incident Management at the NCSC, and Mihaela Jembei, Director of Regulatory Cyber at the ICO.
On Ransomware, the NCSC reports that it has seen ransomware messages to organisations that say things like: “The ransom demand is £50 million. If you pay, you’ll avoid a regulator fine of £600 million which is 0.5pc of your annual profit.” Don’t succumb to their techniques, the blog urges. Seek support and communicate early to avoid an investigation later into an incident you tried to hide.
Eleanor Fairford said: “The NCSC supports victims of cyber incidents every day, but we are increasingly concerned about the organisations that decide not to come forward.
“Keeping a cyber attack secret helps nobody except the perpetrators, so we strongly encourage victims to report incidents and seek support to help effectively deal with the fallout. By responding openly and sharing information, organisations can help mitigate the risk to their operations and reputation, as well break the cycle of crime to prevent others from falling victim.”
Comments
Mike Gillespie of the information security awareness consultancy Advent IM said: “The article raises several important and valid points. Equally I do think that 1) SMEs do not think NCSC will be interested in them and 2) there is a massive fear of the ICO and fines. Both of which will make organisations fail to proactively come forward in the event of a breach.
“Equally, it makes some valid arguments for proactive reporting, some of which we have talked about in the past – including the bullies coming back a second time, the criminal activities that are funded by ransom funds, and the fact that even if you do pay you don’t necessarily get your data back.”
Dr Darren Williams, CEO of data security and counter-ransomware product company Blackfog, says: “Delayed reporting has become very common as organisations attempt to stay out of the headlines and shed the cyberattack stigma. The reality, however, is that sweeping a data breach under the carpet isn’t a viable option. IT leaders must be prepared to report any successful cyberattacks and quickly execute damage control measures.
“Organisations with robust incident response plans and good communication, can limit damage and prevent a catastrophic hit to their reputation, as the sooner organisations announce a data breach, the faster law enforcement can respond and help guide the situation towards resolution. Most business leaders would immediately call the police if their headquarters was ransacked, yet when their digital assets are stolen by cybercriminals, they hesitate.
“While prevention is key to good cybersecurity policy, security leaders must also be aware of the fact that there is a strong chance that hackers will break through their defences at some point. Deep, multi-layered cybersecurity defences make it more likely cybercriminals leave tracks for law enforcement agencies to follow, and with data being the ultimate prize for cybercriminals, adding an ADX solution that has been designed to prevent the exfiltration of data has become a necessity to prevent breaches.
“It’s also important to remember that regulators won’t be fooled. Most countries have very clear policies that stipulate what is required for organizations who are victims of cyberattacks with many, including CISA and GDPR requiring notification within 72 hours.
“Delayed reporting will be discovered by regulators eventually. There is no such thing as a secret when it comes to ransomware. If it’s on the internet it can be discovered by anyone. In fact, BlackFog collects this data on a daily basis and often knows of the attack before the victim has even been notified. The best approach is always full disclosure as soon as possible to limit the damage and any fallout from the attack.”
Julia O’Toole, CEO of MyCena Security Solutions, says: “This new post from the NCSC acts as a helpful reminder to organisations that breaches don’t need to be covered up. Cybercrime is a key threat to all businesses today, so suffering attacks has become the norm and not something that should be hidden. Instead, by sharing information, organisations can learn about attack techniques and improve their defences.
“One of the most important myths covered by the NCSC relates to data breach fines and the likelihood of companies facing high penalties when they are not doing enough to keep their data secure.
“If cybercrime is inevitable today, then organisations must shore up their defences against them to demonstrate to the ICO they are practicing good cyber hygiene. This means keeping intruders out of networks to help prevent data from being stolen, however, this is something which is impossible to achieve when organisations don’t control their access. When employees make and hold their own passwords, they are the key holders, but they are also highly susceptible to phishing attacks or losing those passwords, which is the leading cause of breaches.
“If organisations want to demonstrate to the ICO they are doing enough to protect their data from attacks, they must control their access and remove passwords from employee hands. Instead, organisations should use access segmentation and encryption management solutions to generate strong random passwords for all systems and distribute them encrypted to employees, so no one ever knows them.”
About the NCSC
Launched in October 2016, the NCSC has headquarters in London and brought together expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure (which became the National Protective Security Authority, NPSA, in March 2023).
