Why more transparency around cyber attacks is a good thing for everyone

Consider coming home to find your house burglarized. Instead of reporting it and seeking help, you decide to clean up and act as if nothing happened, hoping to avoid further attention without any deeper investigation.

Your neighbor may experience a similar fate, possibly without your knowledge, as they may not mention it. Subsequently, the burglars may return to your place, taking advantage of your unaddressed vulnerabilities.

This analogy captures how some organizations approach cyber incidents, particularly ransomware. Every successful attack that is concealed, without investigation or shared knowledge, increases the likelihood of future attacks, as valuable lessons remain unlearned. Each paid ransom signals to criminals that their tactics are effective, encouraging additional attempts.

Hence, when incidents are not thoroughly investigated or information is not shared—especially with entities capable of aiding recovery—things will certainly not turn out well.

How to Share?

We recognize the difficulty organizations face in discussing the distressing experience of a cyber attack. However, there are secure and trustworthy platforms available for such disclosures. The NCSC offers CISP, designed to promote information sharing among organizations, as well as sector information exchanges (IEs) and other trusted groups. Your specific sector or locality may also possess additional forums for support.

Keeping your cyber incident under wraps does not benefit anyone, aside from the criminals.

If your organization faces a cyber attack, bringing it to the attention of the NCSC or law enforcement opens the door to a wealth of support. One of the roles of NCSC Incident Management is to provide direct assistance to affected organizations when there is a national influence, collaborating with the designated incident response provider. We possess extensive experience in managing cyber incidents and can provide necessary support. We prioritize confidentiality and do not release information publicly or in communication with regulators without your permission.

In fact, the NCSC offers comprehensive communication assistance to help navigate the incident and manage media interactions. We encourage organizations to maintain transparency during an incident; ultimately, the choice is yours, and we are here to support you either way.

Be Mindful of Your Regulatory Responsibilities

At the ICO, our role involves offering guidance and support to the organizations we regulate while also monitoring and enforcing relevant regulations. It’s essential to understand that in the immediate aftermath of an incident, we do not disclose beyond confirming whether or not we have received an incident report. There may be a regulatory obligation to report, which you can explore further on the ICO website.

In determining regulatory responses, it’s important to note that we consider how proactive an organization is regarding obtaining the necessary support. This includes engaging with the NCSC and acting on pertinent advice. We are currently reviewing our processes to possibly reward organizations that engage positively and transparently. While being open serves the greater good, it also offers business advantages.

When information about an incident needs to be made public, we usually discuss this with the company beforehand to avoid any surprises.

During a ransomware attack, your devices and files may be encrypted, often accompanied by the threat of stolen data being leaked unless the ransom is paid.

However, settling the ransom to obtain the decryption key and restore services doesn’t guarantee resolution. Why is this the case?

• The decryption process can be slow and challenging—attackers may inadvertently double-encrypt data or delete it entirely, making recovery impossible. In some cases, restoring data from backups was actually faster than using the decryption key.

• Paying a ransom amounts to accepting a promise from criminals that they will decrypt your data or refrain from leaking sensitive information. Nothing is certain, and organizations that pay ransoms often find themselves targeted again. Estimates suggest that approximately one-third of organizations hit by ransomware experience repeated attacks.

• Ultimately, paying ransoms rewards criminal behavior, making it more likely that they will continue to carry out attacks on other organizations, exacerbating the larger threat landscape.

• From the ICO’s perspective, paying ransoms does not reduce the risk for individuals; it is not an acceptable risk mitigation measure under data protection law and is not deemed a reasonable action to protect data.

The NCSC, in conjunction with law enforcement, does not advocate for or endorse the payment of ransoms. However, we recognize that in the wake of an unprepared organization experiencing an attack, the option to pay may seem like the only escape route. If such a choice is made, we encourage you to remain in contact with the NCSC and law enforcement partners to help us understand the incident’s context and prevent future breaches.

Don’t leave that window unlocked for criminals to return.

We wish it were true that by following our effective cyber security guidelines, your backups would be securely offline, allowing for recovery in the worst-case scenario.

Unfortunately, the threat of data extortion complicates matters. If attackers have access to sensitive information, they could threaten to leak it unless the ransom is paid.

This reality forces you to thoughtfully assess the data you possess and how it is safeguarded.

It’s akin to storing someone else’s valuables in your home using a cardboard box labeled ‘valuable items inside’ while leaving the window unlocked for thieves to enter. You hold the responsibility for safeguarding the valuable data you maintain—data belonging to other individuals.

Ensuring the safety of individuals’ data is also mandated under data protection legislation—refer to the ICO’s guidance on security for further information on responsibilities.

It may not be obvious in your logging data whether any data was stolen. However, if there is any indication that an actor has accessed the systems containing your data, you should assume it has been compromised. As the saying goes: absence of evidence isn’t evidence of absence.

The NCSC has witnessed numerous cases in which organizations impacted by ransomware were convinced that no data was compromised, only to discover it appearing in dark web leaks weeks or months later. By seeking prompt support and maintaining open communication, you can mitigate the risk of unexpected data breaches.

From the ICO’s standpoint, it’s crucial to reaffirm that organizations hold responsibilities under data protection laws and various regulations including NIS to report incidents that meet specified thresholds. Please remember the earlier point regarding evidence—insufficient situational awareness is not an adequate technical safeguard. You could unintentionally remain oblivious while breaching data protection directives.

This is not necessarily accurate. A data leak is not the sole grounds for imposing a fine, and if data is leaked, it does not guarantee a penalty will follow. A personal data breach encompasses more than just the loss of data; it includes destruction, alteration, and unauthorized access or disclosure. Each case is evaluated in its specific context by the ICO—it’s not merely a matter of whether or not data has been leaked.

As a fair and proportional regulator, the ICO believes that aiding organizations in enhancing their data protection practices is vital for safeguarding individuals’ information. If we identify serious, systemic, or negligent actions that compromise personal data, enforcement action may be a viable option. However, we take a nuanced approach to each situation.

The ICO also acknowledges when organizations take the initiative to comprehend the situation thoroughly and learn from it. As previously stated, if an organization has communicated the incident to the NCSC and can demonstrate adherence to provided guidance, it can positively influence our response.

However, cybercrime gangs may suggest otherwise

Be cautious, as cybercriminal groups exploit the misconception that a data leak is synonymous with incurring a fine. The NCSC has observed ransom messages asserting, “The ransom demand is £50 million. If you pay, you’ll sidestep a regulatory fine of £600 million, which is 0.5% of your annual profit.” Don’t fall victim to their tactics! Seek assistance and communicate openly to prevent subsequent investigations into an incident you’ve attempted to conceal.

We hope this blog post has convinced you of the importance of openness when facing adverse situations.

Being transparent about an attack by seeking support and communicating freely with the NCSC and ICO immediately afterward can only be beneficial, while sharing information about the attack with trusted communities later enhances the overall threat landscape for everyone.

And don’t only take our word for it; others echo this sentiment. In the United States, CISA Director Jen Easterly has written about how reluctance to report to the government fosters a race to the bottom. Similarly, the President of Global Affairs at Google speaks on the necessity to ‘weave transparency’ into a cybersecurity response.

Ensure that cybersecurity lessons are not only distributed for individual protection but also aid in preventing future attacks for others. Remember to utilize the cyber incident reporting service which assists UK organizations in accessing essential support.

Eleanor Fairford, NCSC’s Deputy Director for Incident Management

Mihaela Jembei, ICO’s Director of Regulatory Cyber