Since the Covid-19 pandemic, businesses in all sectors have had to adapt to challenges arising out of the surge in ransomware attacks that exploit weaknesses in infrastructure, systems or people to access and encrypt a company’s data. Attackers demand payment to unlock the victim’s data and threaten to release it online if the ransom is not paid.
By revealing highly sensitive employee information or trade secrets, ransomware attacks have the potential to significantly damage a business’s reputation as well as its financial status. Yet, the payment of a ransom can also give rise to legal and reputational risk, and the potential for exploitation.
Key legislation to be aware of
In the UK, the key risks to making ransom payments arise out of legislation related to sanctions, money laundering and terrorist financing. These include:
- Sanctions and cyber sanctions. The UK’s Office of Financial Sanctions Implementation (OFSI) can place individuals on a central sanctions list, thus making ransom payments to such individuals a criminal offence.
- The Proceeds of Crime Act 2002 creates further offences, including entering into arrangements which the business knows or suspects facilitates the acquisition of criminal property.
- The Terrorism Act 2000 makes it a criminal offence for a person to pay a ransom with knowledge (or reasonable suspicion) that it will finance terrorism.
In addition, there are reporting and cybersecurity requirements associated with the Network and Information Systems (NIS) Regulations and the Information Commissioner’s Office (ICO) can issue fines or penalties in respect of a breach of data protection rules.
Indeed, the ICO recently fined construction company Interserve £4.4m for failing to keep personal data of its staff secure when it neglected to put in place appropriate security measures to prevent a cyber-attack, enabling hackers to access personal data of up to 113,000 employees via a phishing email.
What preventative action can businesses take?
Given the importance of protecting data, businesses may consider familiarising themselves with the Data Protection Act 2018; the National Cyber Security Centre’s ‘ransomware portal’; and the ICO’s recently published checklist to help businesses mitigate threats to their data. This includes the following recommendations:
- Consider data governance and implement sufficient security principles and communicate these across the business.
- Ensure that asset identification is meticulous – i.e. identifying, documenting and classifying all personal data that is processed (including higher classification for special category data). Processed personal data should also be protected by appropriate controls, for example by reference to the NCSC’s Mitigating Malware and Ransomware Guidance.
- Protect the entirety of a business’s digital systems with access controls, for instance multi-factor authentication which can prevent the wrong people from accessing these systems.
- Ensure high levels of staff education and awareness, as security measures will require human input as well. This can be attained through training so that all staff are aware of the risk of ransomware attacks.
- After establishing strong defences, it is important to maintain them. For example, it is beneficial to keep a policy for patching security systems when flaws arise, with reference to the NCSC’s Vulnerability Management Guidance. Alongside this, businesses should consider conducting regular security audits and scan for potential vulnerabilities, whilst measuring the systems in place against, by way of example, the Cyber Essentials standards.
- Put in place response plans for when something goes wrong. Using adequate controls to monitor, detect and respond to attacks as they arise will bolster security. Smaller businesses can do this by using the NCSC’s ‘Logging Made Easy’ system. Make sure the incident response plan incorporates thresholds for when the ICO or individuals should be notified of a security incident.
- Put in place disaster recovery protocols such as offline backups to ensure personal data can be quickly and safely restored in the event of a breach.
Looking ahead
Clearly, ransomware attacks are not going to disappear. Indeed, the NCSC recently hosted a security summit bringing together over 2,000 experts from across the world to address the issue of cybersecurity attacks and how to keep future technologies secure. As the country, and world, grapples with these issues, individual businesses should take steps now to educate themselves on the cyber and legal risks, and ensure their systems are as safe as they can be.
This article was first published in Business Info and can be accessed here.
Beverley Flynn
George Harrington