Ransomware is recognised by the National Cyber Security Centre (NCSC) as the biggest cyber threat facing the United Kingdom. Following the outbreak of the war in Ukraine, the NCSC has called upon organisations to take action to improve their resilience in light of the increased risk of cyber attacks.
With ransomware attacks becoming the most common cyber incidents affecting personal data in recent times, the Information Commissioner’s Office (ICO) has published new guidance on ransomware and data protection compliance. It is more important than ever that organisations consider the ICO’s guidance to help reduce the risk of a ransomware attack and manage the consequences of an attack.
What is Ransomware?
Ransomware is a type of malware that is used to unlawfully encrypt files on a host computer system. Once a ransomware attacker gains access to a computer system, the malware can often spread quickly from device to device. Attackers often ask for a ransom fee, in order to extort money out of organisations, in return for the encryption key to release the seized data.
Ransomware attacks are becoming more common and can be very damaging to an organisation. It is essential to consider how to prevent such an attack and what to do if an attack should occur.
How can you prevent an attack?
Attacks are not always targeted at a specific individual or organisation. ‘Scatter gun’ style attacks are a common method of gaining access to computer systems unlawfully and have no specific target. All organisations, both large and small, should have measures appropriate measures in place to guard against such attacks.
Prevention is certainly better than cure. Consider the following key tips in order to prevent or mitigate the effects of a ransomware attack:
- Have regard to relevant guidance such as the extensive array of information provided by NCSC including its 10 Steps to Cyber Security and consider securing certifications such as Cyber Essentials and ISO270001 for information security.
- Back-up your personal data – offline backups which are held separate from your main network offer much greater security.
- Implement controls to address “Tactics, techniques and procedures” (TTPs) commonly used by attackers:
- Ensure staff are trained on how to spot phishing emails, and encouraged to report when a suspicious email comes in
- Monitor any vulnerabilities within your IT system, for example ensure proper patch management
- Risk assess any remote access connections to your computer system – avoid single-factor authentication on internet facing service if personal data can be accessed
- Regularly assess user accounts
- Test and assess your security controls regularly:
- Document and perform regular tests of your incident response plan
- Perform and record regular tests of your disaster recovery plan.
- Consider penetration testing.
The ICO has produced a checklist in order to try and prevent a ransomware attack, along with eight common ransomware scenarios. The checklist can be found at Ransomware and data protection compliance | ICO.
What should you do if an attack occurs?
If your organisation is subject to a ransomware attack, then you must consider whether any personal data has been compromised. It is important to understand that loss of timely access to personal data as a result of its encryption due to a ransomware attack will amount to a personal data breach. Even temporary loss of access (for example, if time elapses before you can restore data from backup) would be considered a type of personal data breach.
If a breach has occurred, a formal risk assessment must be undertaken. If data is uploaded from your systems by an attacker, the ICO advises that data exfiltration should be considered in assessing risk. In this regard, logging can help you assess if personal data is likely to have been exfiltrated. You should also be aware that the ICO may ask you to provide evidence of the logs.
If there has been a personal data breach as a result of a ransomware attack, you must notify the ICO without undue delay, unless the breach is unlikely to result in a risk to individuals. The ICO should be notified promptly, and no later than 72 hours after having become aware of the breach. If you decide that the breach need not be reported to the ICO, you must nevertheless retain a record of the breach. If the breach is likely to result in a high risk to individuals they should be informed without undue delay.
If you are subject to a ransomware attack, it is recommended that you should also contact the police. Law enforcement play a key role in protecting individuals’ data and work closely with the ICO. Law enforcement may even recommend a delay in informing affected individuals about a breach if early notification could adversely impact a criminal investigation. This will require you to liaise closely with the ICO.
In terms of payment of any ransom demand, law enforcement and the ICO do not consider the payment of a ransom as an appropriate measure to restore personal data. When dealing with a ransomware attack, it is important to consider that you are dealing with criminal actors, and there is no guarantee that the attackers will release the data or provide an encryption key. Paying a ransom can also set a precedent, and leave you open to further attacks in the future. The ICO advises that if you decide to pay a ransom fee, you should still presume that the data has been compromised and take appropriate action.
Consequences
If you are processing personal data, it is of the utmost importance that you take your security obligations seriously, or you could face significant action from the ICO. For example, the ICO recently issued its first fine relating to ransomware to Tuckers LLP, a criminal law firm, which was fined £98,000 for security breaches after a ransomware attack occurred in 2020. A ransomware attack which results in a personal data breach may also result in claims for breach of contract from other organisations and claims from affected individuals.
In summary, a ransomware attack could happen to anyone at any time – for that reason you must ensure that you have up to date appropriate security measures in place to protect your data. The ICO expects organisations to understand and protect the data that they hold, and oversights could lead to far reaching consequences, including financial penalties.
How can we help?
If you require any advice in relation to ransomware attacks or data protection compliance generally, please contact a member of our specialist Data Protection & Cyber Security team.
This article was co-written by Maya Allen, Trainee Solicitor.