In today’s digital world, the threat of cyber attacks is ever-present, yet many organisations remain hesitant to report incidents.
Whether it’s the fear of reputational damage, or the belief that keeping quiet will make the problem disappear, this reluctance can have serious repercussions - not only for the affected company, but for the wider community.
Transparency about cyber attacks isn’t just important; it’s essential to improve the overall security landscape. Following expert guidance from the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO), let's dispel the myths that surround reporting attacks.
Myth 1: If I cover up the attack, everything will be ok
The reality is that not reporting an attack makes future breaches more likely. Just like leaving a burglary unreported invites more theft, not investigating and sharing information about a cyber attack leaves vulnerabilities in place for you and those around you.
Every successful cyber attack that goes unreported, with no investigation or information sharing, makes follow up attacks more likely as no one learns from it.
Myth 2: Reporting increases the risk of public exposure
On the contrary, reporting a breach to the NCSC or the ICO provides access to support and resources. Both organisations respect confidentiality and work with companies to manage incidents discreetly.
Of course, in certain incidents, it can be a regulatory requirement to report a breach, and information may need to be disclosed if there is a substantial risk to public safety. In these situations, the ICO endeavours to be in dialogue with a company about this, so there aren’t any surprises.
Myth 3: Paying the ransom fixes the problem
Ransom payments don’t guarantee the safe return of your data and can lead to further attacks. Sharing information with authorities is a more secure approach.
Staying in touch with the NCSC and their law enforcement partners will help you to understand the full picture and seek to establish how the cyber criminals got into your systems in the first place, so you can fix that.
Myth 4: Offline backups mean I won’t need to pay a ransom
Even if you follow outstanding data security guidance from the NCSC and have offline backups to rebuild in worst case scenarios, attackers may still attempt to extort you and threaten to leak stolen sensitive data unless a ransom is paid.
It’s crucial to consider what data you hold and how you protect it - like encryption - think of it like securing valuables that belong to someone else. Remember, you are responsible for safeguarding personal data, and this is also a legal requirement under data protection law. Refer to the ICO’s security guidance if this concept remains an knowledge blackspot for you.
Myth 5: No evidence of data theft means no need to report to the ICO
If attackers have accessed your systems, you must start with the assumption that data has been taken, even without clear evidence in logging data. As the transparency article quotes - absence of evidence isn’t evidence of absence.
The NCSC has witnessed many cases where organisations were convinced their data appeared safe, only to have it surface on the dark web at a a later juncture in time. Proactively seeking support and communicating openly reduces the risk of future leaks.
Let me reiterate, in case you missed it earlier, you are required to report incidents under data protection law when thresholds are met—lack of evidence isn’t a defense.
Myth 6: You’ll only get fined if your data is leaked
Being the source of a data leak isn’t the sole reason to incur a fine, and you aren't necessarily going to be fined in the event of a data breach. A personal data breach is more than a simple loss of data - destruction, alteration, or unauthorised disclosure or access to data is also applicable.
The ICO considers the context of each case and emphasises improving data protection practices over punitive measures. However, serious or negligent behaviour can lead to enforcement action. Following guidance and communicating with authorities like the NCSC can positively impact the ICO’s response.
Final Thoughts
It's time we change the narrative about admitting to cyber attacks. By reporting cyber attacks to the right authorities and sharing lessons learned with others, together we can create a stronger, more resilient cyber secure environment.
To learn more about improving your cyber security and operational resilience, contact us for a wide range of expert advice.
Cover Photo: Adi Goldstein on Unsplash
12 Sep 2024