The UK’s National Cyber Security Centre and Information Commissioner’s Office have issued a joint statement stressing the need for companies to report cyber attacks.
They want organisations to be more open about their experience of cyber attacks, to encourage reporting and prevent future incidents.
In a joint blog post the NCSC and ICO identify six misconceptions that can discourage organisations from reporting attacks, particularly ransomware attacks.
The two leading organisations contend that every ‘hushed up’ case that isn’t shared or fully investigated makes other attacks more likely as no one can learn from them.
Being open with the authorities will give victims access to expert support and advice, and will be taken into account favourably by the ICO when considering their regulatory response.
The six ‘myths’ which the NCSC and the ICO have identified as commonly held by organisations that have fallen victim to cyber incidents are:
- If I cover up the attack, everything will be ok
- Reporting to the authorities makes it more likely your incident will go public
- Paying a ransom makes the incident go away
- I’ve got good offline backups, I won’t need to pay a ransom
- If there is no evidence of data theft, you don’t need to report to the ICO
- You’ll only get a fine if your data is leaked
Eleanor Fairford, NCSC Deputy Director for Incident Management, said: “The NCSC supports victims of cyber incidents every day, but we are increasingly concerned about the organisations that decide not to come forward.
“Keeping a cyber attack secret helps nobody except the perpetrators, so we strongly encourage victims to report incidents and seek support to help effectively deal with the fallout.
“By responding openly and sharing information, organisations can help mitigate the risk to their operations and reputation, as well break the cycle of crime to prevent others from falling victim.”
The blog also addresses assumptions about data risk, highlighting that a lack of evidence that data has been stolen does not mean theft did not take place, while paying a ransom to criminals to restore services quickly can increase the likelihood of being retargeted and does not guarantee stolen information will not be leaked later.