Article by NCSC
Eleanor Fairford, Deputy Director of Incident Management at the NCSC, and Mihaela Jembei, Director of Regulatory Cyber at the Information Commissioner’s Office (ICO), reflect on why it’s so concerning when cyber attacks go unreported – and look at some of the misconceptions about how organisations respond to them.
At the NCSC and ICO, we deal with the fallout from serious cyber attacks every day. Our responsibilities are different, but we both work on incidents that can take down businesses, severely impact national services and infrastructure, and massively disrupt people’s day-to-day lives. You’ll be familiar with some of the headlines and it’s not a pretty picture.
But we are increasingly concerned about what happens behind the scenes of the attacks we don’t hear about, particularly the ransomware ones. They are the attacks that aren’t reported to us and pass quietly by, pushed to one side, the ransoms paid to make them go away. And if attacks are covered up, the criminals enjoy greater success, and more attacks take place. We know how damaging this is.
In this blog we look at why it’s in everyone’s interests to be more open about cyber attacks, by exploring – and dispelling – some of the myths around responding to cyber attacks.
Myth 1: If I cover up the attack, everything will be ok
Imagine that you come home from work to find your house has been burgled. Instead of reporting it to the police and seeking support, you quickly tidy everything up and carry on as if nothing had happened, hoping no one finds out, and without investigating further.
The next week your neighbour is burgled too, although you might not know about it because they don’t mention it. And then the burglars return to your place again because you didn’t spot that the unlocked window is still unlocked, so it’s easy for them to get back in.
This is often how it works in a cyber incident, particularly ransomware. Every successful cyber attack that is hushed up, with no investigation or information sharing, makes other attacks more likely because no one learns from it. Every ransom that is quietly paid gives the criminals the message that these attacks work and it’s worth doing more.
So if attacks pass by without full investigation and information sharing, particularly with those who can help mitigate it, everything definitely won’t be ok.
How to share?
We understand it’s hard for organisations to open up about the stressful experience of a cyber attack, and lay bare the things you wish had been different. But there are secure and trusted environments where you can do this safely. The NCSC has CISP to facilitate information sharing between organisations, as well as our sector information exchanges (IEs) and other trust groups. Your sector or region may have other forums too.
Keeping your cyber incident a secret doesn’t help anyone except the criminals.
Myth 2: Reporting to the authorities makes it more likely your incident will go public
If your organisation experiences a cyber attack, reporting it to the NCSC or law enforcement means you can access the wealth of support available. One of the responsibilities of NCSC Incident Management is to provide direct support to affected organisations where there is a national impact, working with the appointed incident response provider. We know how these things play out – we manage cyber incidents every day, and can help you. We respect your confidentiality and don’t proactively make information public, or share it with regulators without your consent.
In fact, the NCSC has extensive communications support available to help you navigate the incident and to manage media coverage and active communications. We encourage organisations to be open when an incident happens, but ultimately, it’s your choice, and we will support you either way.
Remember your regulatory responsibilities
As the regulator, over at the ICO, our role is to provide guidance and support to the organisations we regulate, as well as to monitor and enforce the regulations we oversee. But in the immediate aftermath of an incident, we don’t disclose details beyond confirming whether or not an incident has been reported to us. It’s important to remember that there may be a regulatory requirement to report (and you can find out more about your responsibilities and when you need to report a breach, including a self-assessment tool, on the ICO website).
When it comes to deciding the regulatory response, it’s really important to emphasise that we’ve always taken into account how proactive an organisation is about getting the right support, which includes engaging with the NCSC and implementing any advice. In our next process review, we’re even considering making explicit the amount saved in a fine when an organisation has positively engaged. Being open and transparent is the right thing to do for the greater good, but we’re looking into making it business savvy as well.
And where information about an incident does need to be made public – not always the case – we will usually be in dialogue with a company about this so there aren’t any surprises.
Myth 3: Paying a ransom makes the incident go away
In a ransomware attack, your files and computers are encrypted, and there is now the added sting that an attacker often also steals data from your network and threatens to leak it if you don’t pay up.
But paying the ransom quickly to get the decryption key and restore services doesn’t always help. Why not?
- The decryption process can be lengthy and cumbersome – attackers sometimes accidentally double-encrypt data meaning it can’t be decrypted, or they delete data that is then unrecoverable. In one case, restoration from backups was actually quicker than using the decryption key itself.
- Paying a ransom is basically accepting a pinky promise from criminals that they will decrypt your network or not leak stolen data. Nothing is guaranteed and bear in mind that organisations that pay the ransom are likely to be targeted again. Estimates vary but it’s suggested that around one third of all organisations affected by ransomware are attacked again.
- It’s basically rewarding criminals for their efforts and makes it more likely they’ll carry out more attacks against other organisations, ultimately making the broader threat landscape worse.
- From the ICO point of view, paying ransoms doesn’t reduce the risk to individuals, it’s not a mitigation under data protection law, and isn’t considered a reasonable step to safeguard data.
The NCSC position, along with law enforcement, is that we don’t endorse, promote or encourage the payment of ransoms. But we know that an unprepared organisation, in the aftermath of an attack, may take the view that paying a ransom is the only way out. If that’s the case, we ask that you still stay in touch with the NCSC and our law enforcement partners so we can understand the full picture and try to establish how they got into your systems in the first place so you can fix that.
Don’t leave that window unlocked for them to come back next time.
Myth 4: I’ve got good offline backups, I won’t need to pay a ransom
We’d like it to be true that if you implemented all our excellent cyber security guidance, your backups would be safely offline and you could rebuild if the worst happened.
Unfortunately the data extortion angle adds a whole new level of complexity. If the attackers have access to sensitive data, they could threaten to leak it unless you pay the ransom.
So you need to think really carefully about the data you hold and how you protect it.
It’s a bit like storing someone else’s valuables in your house in a cardboard box with the words ‘valuable stuff in here!’ on it, and your window left unlocked for the thieves to get in. You are responsible for protecting the valuable items you hold – except in this case, it’s other people’s personal data.
Keeping people’s data safe is also a requirement under data protection law – see the ICO’s guidance on security for more on that.
Myth 5: If there is no evidence of data theft, you don’t need to report to the ICO
You might not be able to see in your logging data whether or not data was stolen. But if there is any suggestion that the actor has accessed the systems holding your data, you should start from the assumption that it has been taken. As the quote goes: absence of evidence isn’t evidence of absence.
In the NCSC we’ve seen many examples of organisations affected by ransomware that were convinced no data had been taken, only to find it crop up in a dark web data leak weeks or months later. But if you seek early support and communicate openly, you will reduce the risk of an unpleasant surprise of future data leaks.
From an ICO point of view, we’d reiterate the earlier point that organisations have responsibilities under data protection law, and other legislation including NIS, to report incidents where the thresholds are met. And remember that point about lack of evidence – poor situational awareness isn’t an adequate technical control. You could be living in blissful ignorance while also being in breach of data protection law.
Myth 6: You’ll only get a fine if your data is leaked
This isn’t necessarily the case. A data leak isn’t the only reason for a fine, and you won’t always be fined if data is leaked. A personal data breach is more than just a loss of data: it also includes its destruction, alteration, and unauthorised disclosure or access to it. The ICO looks at the context of each individual case – it’s not just about whether or not data was leaked.
As a fair and proportionate regulator, the ICO understands that helping organisations to improve their data protection practices is also the best way to protect people’s data. If we find serious, systemic or negligent behaviour that puts people’s information at risk, enforcement action may be an option. But this isn’t a blanket approach.
The ICO also recognises when organisations have taken steps to fully understand what has happened, and learn from it. As we say above, if your organisation has raised the incident with the NCSC, and you can show you’ve followed guidance and support, it could positively impact our response.
. . . but the gangs may tell you otherwise
Be aware that cyber criminal gangs prey on the misconception that the data leak is the source of a fine. The NCSC has seen ransomware messages to organisations that say things like: “The ransom demand is £50 million. If you pay, you’ll avoid a regulator fine of £600 million which is 0.5% of your annual profit.” Don’t succumb to their techniques! Seek support and communicate early to avoid an investigation later into an incident you tried to hide.
Don’t feed the cycle!
We hope this blog has helped persuade you of the value of being open if the worst happens.
Being open about an attack by seeking support and communicating openly with the NCSC and ICO in the days following it can only help you, while sharing information about the attack with your trust communities later on will ultimately improve the threat landscape for everyone.
And don’t just take our word for it; others are saying the same thing. In the US, CISA Director Jen Easterly has written about how reluctance to report to government creates a race to the bottom, while the Google President of Global Affairs talks about the need to ‘weave transparency’ into a cyber security response.
Make sure cyber security lessons are learned to protect yourself and help prevent future attacks for everyone. And remember the cyber incident reporting service helps UK organisations access the right support if you need it.