UK NCSC, ICO debunk 6 cyberattack reporting myths

The UK National Cyber Security Centre (NCSC) and the UK’s data protection regulator the Information Commissioner’s Office (ICO) have published a rare joint article dispelling several myths about cyberattack reporting to tackle the problem of unreported data breaches. The pair argued that, while businesses may be tempted to hide data breaches to avoid negative scrutiny, cybercriminals enjoy greater success when attacks are not reported.

In contrast, greater transparency and open discussion around cyberattacks is a positive for everyone, giving victims access to support and advice, sharing lessons learned to help improve awareness and cyber resilience, and breaking the cycle of crime to prevent others from falling victim. It’s also likely to be viewed more favourably by data protection regulators.

The misconceptions include the belief that reporting cyberattacks to the authorities makes it more likely incidents will become public, and that paying ransoms automatically makes incidents go away.

Last year, a Freedom of Information (FOI) request from Veritas Technologies found that self-reported breaches to the ICO rose 29% to 12,314 in 2021/22, up from 9,535 in 2020/21. Meanwhile, nearly half of British companies (43%) have been the victim of a cyberattack in the past three years, with over a third of them more than once (17%), according to a new report from security awareness and training firm SoSafe.

The NCSC and ICO identified six myths that are not only generally inaccurate but also discourage organisations from reporting breaches.

Myth 1: It’s OK to cover-up a cyberattack

The first myth dispelled is the belief that covering up an attack will positively serve an organisation. “Every successful cyberattack that is hushed up, with no investigation or information sharing, makes other attacks more likely because no one learns from it.” For example, every ransom that is quietly paid gives criminals the message that these attacks work and it’s worth doing more, the article read.

“If attacks pass by without full investigation and information sharing, particularly with those who can help mitigate it, everything definitely won’t be OK. Keeping your cyber incident a secret doesn’t help anyone except the criminals.”

Myth 2: Reporting an attack to authorities makes it more likely it will go public

The next myth dispelled is the notion that reporting an attack to the authorities will increase the chance of the incident going public, with no positive outcome for the reporting business. “If your organisation experiences a cyberattack, reporting it to the NCSC or law enforcement means you can access the wealth of support available,” the pair wrote. One of the responsibilities of NCSC Incident Management is to provide direct support to affected organisations where there is a national impact, working with the appointed incident response provider. The NCSC also has extensive communications support available to help companies navigate incidents and manage media coverage and active communications.

As the UK’s data regulator, the ICO’s role is to provide guidance and support to the organisations it regulates, as well as to monitor and enforce the regulations it oversees. When it comes to deciding any regulatory response, the ICO considers how proactive an organisation is about getting the right support, which includes engaging with the NCSC and implementing any advice, the article read. “In our next process review, we’re [the ICO] even considering making explicit the amount saved in a fine when an organisation has positively engaged. Where information about an incident does need to be made public – not always the case – we will usually be in dialogue with a company about this so there aren’t any surprises.”

It’s important to remember that there may be a regulatory requirement to report an incident.

Myth 3: Paying a ransom makes the incident go away

In the event of a ransomware attack, organisations may be tempted to pay the ransom quickly to get the decryption key and restore services, but this is a misconception that can cause further problems for victims, the NCSC and ICO stated.

“Paying a ransom is basically accepting a pinky promise from criminals that they will decrypt your network or not leak stolen data. Nothing is guaranteed and bear in mind that organisations that pay the ransom are likely to be targeted again. Estimates vary but it’s suggested that around one-third of all organisations affected by ransomware are attacked again.”

It’s basically rewarding criminals for their efforts and makes it more likely they’ll carry out more attacks against other organisations, ultimately making the broader threat landscape worse. From the ICO’s point of view, paying ransoms doesn’t reduce the risk to individuals – it’s not a mitigation under data protection law, and isn’t considered a reasonable step to safeguarding data.

The NCSC, along with law enforcement, do not endorse, promote, or encourage the payment of ransoms, but recognise that an unprepared organisation, in the aftermath of an attack, may take the view that paying a ransom is the only way out. If that’s the case, businesses should still stay in touch with the NCSC and its law enforcement partners so they can understand the full picture.

Myth 4: Offline data backups mean there’s no need to pay a ransom

The next myth debunked is the belief that offline data backups mean a business will never need to consider paying a ransom. “Unfortunately, the data extortion angle adds a whole new level of complexity. If the attackers have access to sensitive data, they could threaten to leak it unless you pay the ransom.”

Organisation must carefully address the data they hold and how they protect it, the article read. “It’s a bit like storing someone else’s valuables in your house in a cardboard box with the words ‘valuable stuff in here!’ on it, and your window left unlocked for the thieves to get in. You are responsible for protecting the valuable items you hold – except in this case, it’s other people’s personal data.”

Myth 5: There’s no requirement to report an attack if there’s no evidence of data theft

A lack of evidence that data has been stolen should not prompt businesses to assume there’s no need to report an attack. “You might not be able to see in your logging data whether or not data was stolen, but if there is any suggestion that the actor has accessed the systems holding your data, you should start from the assumption that it has been taken.”

There have been many examples of organisations affected by ransomware that were convinced no data had been taken, only to find it in a dark web data leak weeks or months later, the article said. With early support and open communication, businesses can reduce the risk of an unpleasant surprise of future data leaks. “Remember that point about lack of evidence – poor situational awareness isn’t an adequate technical control. You could be living in blissful ignorance while also being in breach of data protection law.”

Myth 6: You’ll only get a fine if your data is leaked

The last myth dispelled by the NCSC and ICO is the belief that data breach regulatory fines are only handed out if data is leaked, but this is not always the case. “A data leak isn’t the only reason for a fine, and you won’t always be fined if data is leaked. A personal data breach is more than just a loss of data; it also includes its destruction, alteration, and unauthorised disclosure or access to it. The ICO looks at the context of each individual case – it’s not just about whether data was leaked.”

If the ICO finds serious, systemic, or negligent behaviour that puts people’s information at risk, enforcement action may be an option, but this isn’t a blanket approach. “If your organisation has raised the incident with the NCSC, and you can show you’ve followed guidance and support, it could positively impact our response,” the article read.

What’s more, cybercriminals can prey on the misconception that a data leak is the source of a fine, stating that if a company pays a ransom, they will avoid a hefty fine. “Don’t succumb to their techniques! Seek support and communicate early to avoid an investigation later into an incident you tried to hide.”

Cyberattack reporting “breaks cycle of crime”

The NCSC supports victims of cyber incidents every day, but it is increasingly concerned about the organisations that decide not to come forward, said Eleanor Fairford, NCSC deputy director for incident management. “By responding openly and sharing information, organisations can help mitigate the risk to their operations and reputation, as well break the cycle of crime to prevent others from falling victim.”

It’s crucial that businesses are aware of their own responsibilities when it comes to cybersecurity, but transparency is more than simply complying with the law, added Mihaela Jembei, ICO’s director of regulatory cyber. “Cybercrime is a borderless and global threat and it’s through knowledge sharing that we can help organisations help themselves.”