Solicitors are being asked to play their part in keeping the UK safe online by helping to tackle the rise in organisations paying out to ransomware criminals.
The National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have been told that some firms are paying ransoms with the expectation that this is the right thing to do and they do not need to engage with the ICO as a regulator, or will gain benefit from it by way of reduced enforcement. This is incorrect.
Ransomware involves the encrypting of an organisation’s files by cybercriminals, who demand money in exchange for providing access to them.
In a joint letter, NCSC and the ICO ask the Law Society to remind its members that they should not advise clients to pay ransomware demands should they fall victim to a cyberattack.
Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law and is not considered as a reasonable step to safeguard data.
The ICO has clarified that it will not take this into account as a mitigating factor when considering the type or scale of enforcement action. It will, however, consider early engagement and co-operation with the NCSC positively when setting its response.
Dan Middleton, Vice President UK & Ireland, Veeam Software, commented on the announcement: “The damage ransomware can inflict on businesses is staggering. Those that feel they have no choice but to pay cybercriminals in order to unlock their files put their money and their reputation at risk.
“As explained by Lindy Cameron, CEO of the NCSC, and the Information Commissioner, businesses should never pay the ransom demands of cybercriminals. Instead, the only option is to restore data.
“Implementing a full backup and Disaster Recovery plan gives organisations the ability to recover data in the event of a ransomware attack, minimising the risk of financial and reputational damage. Offsite and offline backups should be implemented to achieve this. I advocate the 3-2-1-1-0 rule, which says there should always be at least three copies of important data, on at least two different types of media, with at least one off-site, one offline, with zero unverified backups or backups completing with errors.
“When combined with prevention measures, such as educating employees and ensuring that cyberattackers are not being unwittingly gifted access to the data and systems they need to initiate a ransomware attack, backup and Disaster Recovery is the last line of defence that can help businesses win the ransomware battle.”