NCSC and ICO chiefs plead with lawyers to stop making ransomware payments
The two UK authorities say misconceptions around ICO fines are jeopardising the integrity of UK cyber security, in a direct appeal to the Law Society
Leaders from the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) have called on lawyers in England and Wales to stop their clients from paying ransomware gangs after being attacked.
The NCSC said it's seeing a rise in businesses choosing to pay the demands made by the ransomware operators, but argues that paying these groups only incentivises further attacks and directly funds future criminal endeavours.
The NCSC and ICO wrote to the Law Society for assistance in sharing “some key messages” after they became aware of a growing misconception that paying ransomware gangs to protect data may lead to less harsh penalties imposed on the company by the ICO.
“We would like to be clear that this is not the case,” the letter read. “Law Enforcement does not encourage, endorse nor condone the payment of ransoms.
“While payments are not usually unlawful, payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance – may change that position. More importantly, payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data.”
The Law Society was also asked to remind lawyers the ICO takes into account the degree to which a given business has taken precautions and implemented measures to mitigate the threat of a ransomware attack when deciding on post-attack penalties.
An analysis of the European cyber threat landscape
Human risk review 2022Free Download
It said it does not consider making payments to cyber criminals, with the view that a business’ data would be more secure as a result, as a satisfactory business strategy to prevent attacks.
Measures the ICO recognises include actionable changes made after analysing an attack and learning from it, timely reporting to the relevant authorities, and a demonstration that the NCSC’s and ICO’s guidance on cyber attacks has been considered.
“Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands,” said Lindy Cameron, CEO of the NCSC.
“Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.
“Cyber security is a collective effort and we urge the legal sector to help us tackle ransomware and keep the UK safe online.”
The joint letter highlighted the information available to businesses from both the NCSC and ICO, and requested a meeting to discuss the matter further with a view to ensuring there is a strong understanding of the criminal landscape involved with ransomware.
Lawyers are advised to point their clients towards the publicly available advice and make any necessary changes to their cyber strategy to protect the UK online.
The state of Salesforce: Future of business
Three articles that look forward into the changing state of Salesforce and the future of businessFree Download
The mighty struggle to migrate SAP to the cloud may be over
A simplified and unified approach to delivering Enterprise Transformation in the cloudFree Download
The business value of the transformative mainframe
Modernising on the mainframeFree Download
The Total Economic Impact™ Of IBM FlashSystem
Cost savings and business benefits enabled by FlashSystemFree Download