ICO ransomware guide and checklist for businesses

The Information Commissioner’s Office (ICO) is recommending that businesses and organisations establish incident response, disaster recovery and business continuity plans to address the heightened risk of ransomware attacks.

The recommendation accompanies ICO’s new guidance, and a checklist of actions businesses should review to assess their preparedness against potential ransomware attacks on their organisation.

Ransomware is an increasingly prevalent form of cyber-attack. Personal data breaches from the ICO’s caseload during 2020/2021 have seen a steady increase in the number and severity caused by ransomware. The guidance presents eight scenarios about the most common ransomware compliance issues the ICO has seen:

  • Scenario 1: Attacker sophistication Indiscriminate and non-specific targeting of SME’s
  • Scenario 2: Personal data breach –  Unauthorised disclosure or access to personal data
  • Scenario 3: Breach notification – Notifying the ICO of a personal data breach
  • Scenario 4: Law enforcement – Contacting law enforcement agencies
  • Scenario 5: Attacker tactics, techniques and procedures – Recognising the attack vectors
  • Scenario 6: Disaster recovery – Your plan for dealing with cyber incidents
  • Scenario 7: Ransomware payment – Paying a ransom to cyber criminals
  • Scenario 8: Testing and assessing security controls – Mitigating cyber attacks

Ransomware payment and data protection compliance

In its guidance, the ICO supports the position of law enforcement in not encouraging, endorsing or condoning the payment of ransom demands to criminals by businesses who have lost access to their systems and data. The ICO also does not consider the payment of a ransom as an ‘appropriate measure’ to restore personal data in the event of a disaster.

Businesses that choose to pay the ransom to avoid the data being published should still presume that the data is compromised. They should take actions accordingly to mitigate the risks to individuals even though the ransom fee has been paid and – where necessary – inform the ICO of the breach.

Cybersecurity is not only for larger businesses and public organisations. SMEs are in fact some of the most vulnerable targets for cybercrime, and therefore this topic should be at the forefront of all business leaders’ minds.

Read a copy of our briefing note entitled ‘Is your business protected against cyber threats?’ for some points to help SMEs safeguard against cybercrime and be prepared.

For more information and to find out more about our IT support services, please contact Gareth Dalton or your usual Beavis Morgan Partner for more information about how we can help you protect your business.

IT security is a collective responsibility, and it is essential that SMEs take the necessary steps to protect against cyber attacks.

See: Ransomware and data protection compliance | ICO