Keeping a cyber-incident quiet makes other attacks more likely and makes everyone less secure, the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have warned.
In a rare joint blog post, the two authorities came together today in an attempt to dispel some of the common myths around incident reporting and break the cycle of cybercrime.
They argued that every incident that goes unreported is a missed opportunity to learn from it and enhance protection for all organizations. If it is a ransomware attack, paying extorters will encourage them to continue with attacks, they warned.
“Imagine that you come home from work to find your house has been burgled. Instead of reporting it to the police and seeking support, you quickly tidy everything up and carry on as if nothing had happened, hoping no one finds out, and without investigating further,” the blog post noted.
“The next week your neighbour is burgled too, although you might not know about it because they don’t mention it. And then the burglars return to your place again because you didn’t spot that the unlocked window is still unlocked, so it’s easy for them to get back in.”
Read more on incident reporting: Security Incidents Reported to FCA Surge 52% in 2021
The NCSC and ICO listed six commonly held misconceptions about incident reporting:
- Covering up an attack means everything will be ok
- Reporting to the authorities makes it more likely the incident will go public
- Paying a ransom makes the incident go away
- If an organization has good offline backups they won’t need to pay a ransom
- If there is no evidence of data theft, organizations don’t need to report to the ICO
- Organizations will be fined if data is leaked
The NCSC explained that it never proactively makes incident information public, or shares it with regulators without the victim organization’s consent. The ICO added that it doesn’t disclose details of an incident beyond confirming whether or not an incident has been reported.
The NCSC reminded organizations that offline backups do not mitigate the risk of data theft in double extortion ransomware attacks, and that even if there’s no evidence data has been taken, victims should “start from the assumption” that it has been.
The ICO was also at pains to point out that, although online extortionists may claim that all breaches result in fines, the reality is quite different.
“As a fair and proportionate regulator, the ICO understands that helping organizations to improve their data protection practices is also the best way to protect people’s data,” it said. “If we find serious, systemic or negligent behaviour that puts people’s information at risk, enforcement action may be an option. But this isn’t a blanket approach.”