Keeping a cyber incident quiet makes other attacks more likely and makes everyone less safe, the National Cyber Security Center (NCSC) and the Information Commissioner’s Office (ICO) have warned.
In a rare joint blog post, the two authorities came together today to try to dispel some of the common myths about incident reporting and break the cycle of cybercrime.
They argued that every incident that goes unreported is a missed opportunity to learn from and improve the protection of all organizations. If it’s a ransomware attack, paying extortionists will encourage them to continue the attacks, they warned.
“Imagine coming home from work to find that your house has been burgled. Instead of reporting it to the police and seeking support, you quickly put it right and carry on as if nothing had happened, hoping that no one find out and without further investigation,” the blog post noted.
“Next week, your neighbor is also robbed, although you may not know because he doesn’t mention it. And then the thieves come back to your place because you haven’t detected that the open window is still open, so it’s easy for them to come back.”
More about incident reporting: Safety incidents reported to FCA Up 52% in 2021
The NCSC and ICO listed six common misconceptions about incident reporting:
- Covering up an attack means everything will be fine
- Reporting to the authorities makes it more likely that the incident will become public
- Paying a ransom makes the incident go away
- If an organization has good offline backups, they won’t have to pay a ransom
- If there is no evidence of data theft, organizations do not need to report to the ICO
- Organizations will be fined if data is leaked
The NCSC explained that it never proactively releases incident information or shares it with regulators without the victim’s organization’s consent. The ICO added that it does not disclose details of an incident beyond confirming whether or not an incident has been reported.
The NCSC reminded organizations that offline backups do not mitigate the risk of data theft in double-extortion ransomware attacks, and that even if there is no evidence that data was taken, the victims should “start from the assumption” that it has been.
The ICO was also at pains to point out that while online extortionists may claim that all breaches result in fines, the reality is quite different.
“As a fair and proportionate regulator, the ICO understands that helping organizations improve their data protection practices is also the best way to protect people’s data,” he said. “If we find serious, systemic or negligent behavior that puts people’s information at risk, enforcement action may be an option. But that’s not a blanket approach.”
The recent guidance issued by the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) has dispelled the myths around incident reporting requirements for companies. The guidance effectively clarifies what businesses should do in the event of a cyber security incident, making it easier for them to respond quickly and effectively.
This comes at a time when businesses are increasingly under threat from cyber security attacks and other breaches, placing them in a precarious position in terms of regulatory compliance. The guidance from the NCSC and ICO makes reporting requirements easier to understand, providing a clear indication of what a company needs to do in the event of an incident. Ikaroa is committed to helping businesses navigate the complexities of cyber security reporting, with a suite of online tools that allow businesses to quickly and easily manage their incident notification process.
At Ikaroa, we believe that the guidance issued by the NCSC and ICO is extremely helpful and necessary in order to assist businesses in complying with reporting requirements. We strive to empower businesses to embrace an ethos of taking ownership and responsibility for cyber security, while also being aware of the risks and potential regulatory implications if they fail to do so. By enabling businesses to easily satisfy reporting requirements, we can help them to remain compliant and minimize the impact of any potential regulatory action.
Our comprehensive suite of tools are designed to help businesses ensure that their systems are secure and remain compliant with reporting requirements. Through our platform, businesses can view and update incident notifications in real-time, track their progress and set automated reminders. We also provide training to ensure that corporations remain responsive to incident notifications and are up-to-date with relevant regulations.
Overall, the guidance from the NCSC and ICO provides much needed clarity for businesses, allowing them to better understand the associated reporting requirements and take appropriate steps to protect their cyber security. At Ikaroa, we believe that businesses should be empowered to take responsibility for their security, and we strive to make the process easier for them to do so. With our suite of online tools, businesses remain compliant, keep their systems safe, and benefit from the clarity provided by the NCSC and ICO.