ICO updates cyber attack guidance as Russia fears rise

hacker2The Information Commissioner’s Office is urging firms to step up their vigilance against cyber-attacks in the face of a heightened threat from Russian hackers, calling on employees to report any suspicious emails rather than delete them.

The move follows warnings issued by GCHQ’s National Cyber Security Centre (NCSC) that UK organisations should bolster their online defences, adding that there had been an “historical pattern of cyber attacks on Ukraine with international consequences”.

In an interview with The Guardian, Information Commissioner John Edwards said: “We have picked up on that heightened threat environment and we think it’s really important to take the opportunity to remind businesses of the importance of security over the data that they hold. This is a different era from blacking out the windows and keeping the lights off. The threats are going to come in through your inbox.”

Edwards said that ICO has already seen a steady increase in cyber-attacks against UK businesses over the past two years.

Between July and December last year the ICO recorded 1,345 “cybersecurity incidents”, including ransomware and phishing attacks, up nearly 20% on the same period in 2019.

Edwards added: “They may be from state actors as part of an offensive or they may be organised crime or they may be some nuisance vandal hackers. It doesn’t matter. What we need to keep doing is with the NCSC and the National Crime Agency amplify the message that cybersecurity is not a question of do it once and forget it. It’s about all-the-time vigilance.”

The Commissioner said the ICO had yet to see warnings of Russian cyber retaliation for UK support of Ukraine come to fruition, but companies should check their cybersecurity, including reminding employees to report suspicious emails rather than just deleting them.

He warned that companies could be exposed to penalties, if they did not take adequate measures against attacks. “If it’s the equivalent of leaving the front door open with a whole lot of other people’s stuff inside, really for anyone to walk away with, then we’ll maybe look at the regulatory options that we have and the penalties that are available.”

Edwards also revealed that the ICO has updated its guidance on ransomware, which states: “Sectors such as education, health, legal services and business are amongst the most targeted. However, all UK businesses that process personal data are at risk. This is due to the low barriers to entry, such as by using ransomware-as-a-service and opportunistic attacks.”

The guidance details eight separate scenarios, including attacker sophistication, personal data breach, breach notification, disaster recovery, and ransomware payment.

In the latter, the ICO states: “If attackers have exfiltrated the personal data, then you have effectively lost control over that data. This means individuals have lost the protections and rights provided by the UK GDPR. For example, transparency of processing or subject access rights. For this reason, we do not view the payment of the ransom as an effective mitigation measure.

“If you do decide to pay the ransom to avoid the data being published, you should still presume that the data is compromised and take actions accordingly. For example, the attacker may still decide to publish the data, share the data offline with other attack groups or further exploit it for their own gains. You still need to consider how you will mitigate the risks to individuals even though you have paid the ransom fee.”

Related stories
Ukraine invasion fuels cyber attack warning to UK firms
New cyber security laws threaten mega fines for firms
Spy chief warns of ‘alarming’ increase in ransomware
‘Teflon’ tech sector beats new dip in professional jobs
Trade bodies call for Govt to fund their industry training
Data champion unveils plan to inspire next generation
Four in ten have ditched adland for a change of career