Cybercrime has been on the rise both in scale and complexity. Working remotely during the pandemic has given cybercriminals more opportunities to prey on our vulnerabilities. Every case is unique; some have a horrendous impact on lives. Just imagine an elderly person stripped of their lifetime savings by a fraudster, or employees made redundant when company operations are shut down by a cyber extortionist.
From my conversations with cyber experts and companies, I am struck by how sophisticated criminals have become. Two in five businesses and a quarter of charities reported having cyber security breaches or attacks in the past 12 months, according to the government’s Cyber Security Breaches Survey published in March 2021.
Out of all the cyber security threats we face in the UK, the number one threat is ransomware. This refers to malware attacks used to extort money from victims by rendering their networks unavailable, and which often steal and hold precious data to ransom. More recently, we have seen criminals threaten to leak stolen data in a bid to maximise the pressure on victims to pay.
Ransomware attacks can wreak havoc. We witnessed the damage the WannaCry ransomware attack did to the NHS in 2017. Some services had to turn away non-critical emergencies because much of their hospital equipment was affected. More recently, we saw how a ruthless cybercriminal gang targeted the Colonial Pipeline, a major US oil provider, resulting in fuel shortages and a state of national emergency.
The UK’s National Cyber Security Centre (NCSC) reported in its 2020 annual review that it had handled more than three times as many ransomware incidents in comparison with the previous year. It is very difficult to assess the financial damage due to under-reporting. However, ransomware attacks cost the UK economy at least £600m in 2020, according to Emsisoft Malware Lab.
Cybercriminals see ransomware as a low-risk and lucrative endeavour, and it has become more feasible than ever. The advent of ransomware as a service (RaaS) allows many more criminal affiliates to execute attacks without having advanced IT or coding skills. It is not an exaggeration to say your business could be paralysed by an amateur.
These criminals are occasionally backed by hostile states, such as North Korea, as in the case of the WannaCry attack. Most of the groups are motivated by profit, but they can also seek to damage a reputation or sabotage an operation.
Ransomware and cyber challenges don’t stop at borders. Our government has been working tirelessly with international partners, especially the US, to fight ransomware criminals. At this year’s G7 summit we called on all states to identify and hold to account cybercriminal gangs that operate in their territories. In October, the UK hosted a session on countering illicit finance as part of a multilateral ransomware event to find new global ways of disrupting ransomware attacks.
Last month marked the fifth anniversary of the launch of the NCSC, our nationwide major authority on cyber security. Between September 2019 and August 2020, the NCSC supported nearly 1,200 victims of 723 attacks.
The UK government is also working hard to improve the UK’s cyber resilience, investing £195m over the past five years to establish a specialist cyber law enforcement network to disrupt cybercriminals and support victims. Tackling the threat from ransomware crime is a key priority of the Home Office and we are working closely with industry leaders on further steps we can take to clamp down on this pernicious crime. Soon we will publish a new national cyber strategy that will provide significant improvements in the UK’s response to cybercrime by strengthening law enforcement, and driving greater collaboration with the NCSC and the National Cyber Force, which tackles issues such as terrorism and child sexual abuse and exploitation.
Cyber security need not be a daunting challenge for organisations of any size and, while larger organisations tend to invest more into their resilience, sound protection and recovery plans can be implemented without needing to pay an arm and a leg. All business owners should follow basic best practices.
Keep offline backups of files, test that they work and ensure that any of your contracted service providers also conform to good cyber practice. If you would like more tailored assistance, contact your regional cyber resilience centre.
It is essential that your employees receive adequate training about cyber security; for instance, they should know how to recognise phishing emails. The NCSC has published a free e-learning package to help staff stay secure online.
If you or your organisation is attacked, the strong advice is against paying any ransoms to cybercriminals. The payment of a ransom is likely to encourage further criminal activity – it does not prevent the possibility of future data leaks and doesn’t guarantee you will regain access to your IT systems.
Some may be hesitant about reporting a ransomware incident. However, it can help crack down on cybercrime by providing our law enforcement partners with precious intelligence. Above all, you will get professional advice on how to recover and how to avoid paying ransoms. Cybercrimes should be reported to Action Fraud, the Information Commissioner’s Office (for data breaches under the General Data Protection Regulation, or GDPR), or for major cyber incidents, to the NCSC.
I would recommend that we all take action to protect our data online. The government’s Cyber Aware campaign contains six actionable steps that will make individuals much less likely to fall victim to a cyber attack.
The NCSC’s Small Business Guide contains affordable, practical advice for smaller businesses, and the centre also has guidance for large organisations. There is information on how to prevent ransomware infections specifically.
Follow these actionable steps and take immediate action to protect yourself and your organisation from ransomware and other cyber attacks. Speak to your colleagues and together we can all be better protected against this threat.
Damian Hinds is Minister of State for Security at the UK Home Office.
This article originally appeared in our print policy report on cyber security, published on 19 November 2021.