Some UK-based critical national infrastructure (CNI) bodies that have fallen victim to a ransomware attack have risked legal repercussions by paying a ransom. That’s according to research by a cyber security services firm.
Bridewell surveyed 521 staff responsible for cyber security at UK CNI in sectors such as civil aviation, telecommunications, energy, transport, media, financial services and water supply. Most, 60pc of those surveyed have experienced at least one ransomware attack over the previous 12 months. More than a third (35pc) suffered up to five such attacks, but a small percentage of organisations (2pc) reported experiencing more than 100.
In certain situations, for example, when a victim has no ability to recover from a successful attack, there may be no choice other than to pay the ransom, the firm points out. However, payment can risk infringing UK and US laws that prohibit dealings with sanctioned people or entities. In the UK, for example, payments could be in breach of the Sanctions and Anti-money Laundering Act 2018. Ransom payments could also incur financial penalties from the Office of Financial Sanctions Implementation. While prosecutions are uncommon, the UK and US governments have floated the idea of a payment ban.
As for the consequences of a ransomware attack on UK CNI, more than a quarter of respondents, for example, cited a psychological impact on employees (27pc). Disruption (42pc), downtime (40pc) and data loss (39pc) are among repercussions that some respondents say their organisations have suffered, along with reputational damage (35pc). Near a third of organisations (32pc) are also facing increased insurance premiums, and 34pc have incurred financial losses from legal fees or fines. The average cost of a ransomware attack on UK CNI organisations is now £295,230, the research suggests.As for the time it takes to respond to ransomware attacks, the average now is 11.4 hours.
Most, 87pc UK respondents agreed that attacks are more sophisticated, with ransomware-as-a-service (RaaS) deployed with greater knowledge and cunning. Threats are on the rise through increasing professionalisation in the ransomware world and the entry of organised crime groups, the firm suggested.
Anthony Young, CEO at Bridewell, said: “If you fall victim to a ransomware attack, paying the ransom should always be your last resort. Aside from the risk that cyber criminals may not restore access upon payment, there are also potential legal consequences to consider.
“That being said, there are certain situations where organisations have no choice other than to pay. If the organisation has no ability to recover, then paying the ransom may represent the only viable option to resume operations other than rebuilding their systems from scratch. However, this difficult choice is avoidable by having a security strategy to reduce the risk of threat actors gaining access and transversing through your systems without discovery and effective removal. Building a relationship with a trusted security partner who understands your environment and the complex challenges faced by critical infrastructure can help you mitigate this risk by having the right expertise, resources, and support if the worst was to happen.”
