Lawyers urged to stop advising clients to pay ransomware demands
The legal profession has been urged to stop advising clients to pay ransomware demands in a joint letter released today by the National Cyber Security Center (NCSC) and the Kingdom’s Information Commissioner’s Office (ICO). -United.
The open letter asked the Law Society to remind its members that they should not advise clients to pay ransomware claims when they fall victim to a cyberattack. He stressed that paying ransoms does not reduce the risk of future attacks on individuals or even guarantee the decryption of networks or the return of stolen data. Additionally, paying ransomware groups “will not reduce penalties incurred by ICO enforcement actions.”
The NCSC and ICO have also urged attorneys to consider the broader harms caused by paying ransomware demands, as it incentivizes further cyberattacks by malicious actors. They observed that the annual cost of cybercrime is estimated in the billions, with the actual cost being much higher as this does not take into account the cost to businesses.
Instead, the letter reminded the Law Society that it is mandatory to report a ransomware incident to the ICO if people are at high risk. Additionally, the NCSC can provide support and incident response to mitigate damage following a report. It will also work with victim organizations to help them learn from the attack and ensure they have taken steps to protect themselves against similar incidents.
He added that the ICO “will recognize that risk mitigation is where organizations have taken steps to fully understand what happened and learn from it, and where appropriate, they have reported their incident. to NCSC, reported to law enforcement via Action Fraud, and can demonstrate they have followed the advice or can demonstrate compliance with appropriate NCSC guidance and support.”
The ICO also noted that victim organizations should be referred to their updated ransomware guidance page, which outlines the steps to follow in the event of a ransom demand.
NCSC CEO Lindy Cameron said: “Ransomware remains the biggest online threat to the UK and we are clear that organizations should not pay ransom demands.
“Unfortunately, we have seen a recent increase in payments to ransomware criminals and the legal industry has a vital role to play in helping reverse this trend.
“Cybersecurity is a collective effort and we urge the legal industry to help us fight ransomware and keep the UK safe online.”
John Edwards, UK Information Commissioner, added: “Engaging with cybercriminals and paying ransoms only incentivizes other criminals and will not ensure that compromised files will be disclosed. It certainly does not reduce the scale or type of coercive action of the ICO or the risk to those affected by an attack.
“We have seen cybercrime cost UK businesses billions over the past five years. The answer to this must be vigilance and good cyber hygiene, including keeping proper backup files and properly training staff to identify and stop attacks. The organizations will get more credit from these arrangements than by paying the criminals.
“I want to work with the legal profession and the NCSC to make sure companies understand how we will review cases and how they can take practical steps to protect themselves in a way that we will recognize in our response should the worst happen. .”