The Information Commissioner’s Office (‘ICO’) has reported that it has seen a ‘significant rise’ in cyber security attacks, with 1,345 attacks being reported by organisations in the last six months of 2021. The National Cyber Security Centre (‘NCSC’) recognises ransomware as the biggest cyber threat facing the United Kingdom. It is now more important than ever, particularly in light of current international tensions, to make sure that you have taken adequate steps to prevent attacks and to deal with an attack should one occur. In addition to the risk of significant disruption to businesses and reputational risks, fines for data breaches under the UK GDPR can be up to the higher of £17.5million or 4% of total worldwide annual turnover.
What is ransomware?
Ransomware is malware that unlawfully encrypts files on computer systems by delivering malicious software. This effectively means that files and data cannot be accessed by the owner of the systems. Attackers will often then ask for payment to be made in return for the files being made accessible.
A ransomware attack can constitute a data breach where either personal data is unlawfully accessed by a third party (including by code) or if it is made unavailable to the controller responsible for it (even if only for a period of time).
Do we need to be concerned if we are a smaller organisation?
In short, yes. It is not uncommon for attackers to use indiscriminate attacks which are sent to a large number of recipients - these attacks are not aimed at particular types of organisations and so can affect businesses of all sizes.
What can we do to prevent ransomware attacks?
The following steps can help to prevent an attack:
- Implement a cyber incident response plan. This is described by the NCSC as a “critical step towards a robust and effective incident management and technical response capability”.
- Train employees on cyber security. This will help to reduce the risk to your organisation and to assist with your response in the event of an attack. The NCSC’s ‘Exercise in a Box’ resource provides exercises that organisations may find useful as part of their training strategy.
- From a technical perspective, the NCSC recommends that organisations:
back up data regularly;
prevent malware from being delivered and spreading to devices; and
prevent malware from running on devices.
If you haven’t already done so, you should evaluate what technical steps you can take to make your systems as secure as possible.
- Consider what effects an attack may have on your business - for example, your ability to supply products, and what steps you could take to mitigate those effects - such as including a right to suspend performance under your supply contracts in the event of an attack.
- Think about taking out cyber insurance.
What should we do if we suffer an attack?
Initial steps include the following:
- Tell your IT department (or external IT provider) immediately so that they can take steps to contain the situation.
- Contact your lawyers as soon as possible. This will help to identify and deal with any potential data protection risks.
- Determine whether you need to make a report to the ICO and any individuals concerned.
- Consider whether to respond to a ransom demand. The position of law enforcement and the ICO is that they advise against the payment of ransoms. The NCSC has made it clear that there is no guarantee that paying a ransom will result in access to data being provided and that there is a higher risk of being targeted in the future.
If you would like further information about how we can help with minimising your risks from a data protection perspective or if you have any questions about the content of this update, please contact the Corporate and Commercial department at 3CS or your usual 3CS contact.