Are you a client?
Sign in to view the full news archive.
Public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools, would be banned from paying ransomware demands to criminals under new measures proposed by the UK government. The measures are designed to crack down on cyber-criminal gangs and safeguard the public. Under the proposals, businesses outside the ban's scope must also notify the government within 72 hours of any intent to pay ransoms. It remains unclear what organisations fall within scope, and whether third-party suppliers will be included.
Ransomware attacks cost the UK economy millions annually, with recent high-profile incidents affecting the likes of M&S (See - M&S cyber breach linked to Scattered Spider ransomware), Ingram Micro (See - Ingram Micro hit by SafePay ransomware attack and the British Library (See - Ransomware attack to cause major financial hit to British Library). The government hopes the ban will make vital public services less attractive targets. However, this could backfire, hackers may just pivot to alternative monetisation methods like data exfiltration and triple extortion, potentially blackmailing individuals whose data has been compromised rather than the organisations directly.
The government continues advocating for stronger operational resilience, including offline backups, IT-free operation plans, and rehearsed restoration strategies. However, they do not go far enough in addressing the root cause of so many breaches, poor security fundamentals, and a lack of investment. The government needs to put more focus on mandating minimum-security controls like two-factor authentication, identify and access controls and ransomware detection software. Certainly, for CNI and healthcare organisations the minimum levels of cyber spend and resilience against attacks needs to be much higher.
I would also like to see more protections and reparations for individuals affected by attacks. When organisations' poor cyber security practices expose personal data, victims currently have virtually no recourse, we simply just accept that our emails, addresses, even banking information is exposed for all to see, with not much more than an apology from the affected firms, and maybe a year’s subscription to Experian if the breach is really severe. Smaller suppliers exposed to some of these large organisations hit with major cyber-attacks are also in a similar boat, with the financial impact of operational disruption potentially even greater.
Posted by: Simon Baxter at 10:04