Solicitors have been urged to stop advising clients to pay ransomware demands in a joint letter issued last week by the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO).
The open letter urged the Law Society to remind all its members that they should not advise clients to pay ransomware demands when they fall victim to a cyber attack. The letter emphasised that paying ransom does not reduce the risk of further attacks or necessarily guarantee the return of stolen goods or decryption of networks. Similarly, paying ransomware groups “will not reduce any penalties incurred through ICO enforcement action.”
The NCSC and ICO warned lawyers that paying ransomware demands incentivises further cyber-attacks by malicious actors. The letter suggests that the annual cost of cybercrime is estimated to be in the billions, with the actual cost much higher as this does not take into consideration the cost to businesses.
Instead, the letter reminded the Law Society that it is a regulatory requirement for ransomware incidents to be reported to the ICO if people are likely to be put at high risk. In addition, the NCSC are able to provide support and incident response to mitigate harm following a report. It will also help businesses that have suffered from attacks to protect themselves from similar incidents.
The letter added that the ICO “will recognise mitigation of risk is where organisations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with the NCSC, reported to Law Enforcement via Action Fraud, and can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.”
The ICO added that organisations who have fallen victim to attacks should be referred to their updated ransomware guidance page, which sets out the steps that should be taken in the event a ransom demand is issued.
“Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands,” commented NCSC CEO Lindy Cameron.
“Unfortunately, we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.”
Cameron continued: “Cybersecurity is a collective effort and we urge the legal sector to help us tackle ransomware and keep the UK safe online.”
“Engaging with cyber-criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack,” added John Edwards, the UK Information Commissioner.
“We’ve seen cybercrime costing UK firms billions over the last five years. The response to that must be vigilance and good cyber hygiene, including keeping appropriate backup files and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.”
“I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”