National Cyber Security Centre urges businesses not to pay ransomware demands

Speaking at the cyber session at the 2023 British Insurance Brokers’ Association Conference in Manchester today, Cameron stressed that cyber hackers are more likely to target medium to large businesses for ransom, and that companies must ensure they have the right systems in place to avoid cyber attacks.

She said: “Fundamentally, cyber criminals want to make money, so they will be looking for opportunities. In this case, they will find ways to persuade you [companies] to pay a ransom to get your data.

“We still see this as the biggest source of harm to the UK economy, partly because cyber criminals are very good at looking for opportunities where they think they can persuade people that it is easier and simpler to pay the ransom rather than setting up defences. NCSC do not believe in that. We think that most organisations could defend themselves, whether they are small or big companies. “

Preventing attacks

Cameron urged businesses to think about what could go wrong, what data could they lose and what systems could they afford to have blocked or not functioning for a set amount of time.

Cyber criminals are looking for the back doors that companies have left open.

Lindy Cameron, NCSC

She continued: “Businesses need to think about how they can prevent attacks and how to do the basic cyber hygiene in order to feel confident. For example, I’ve got two-factor authentication enabled in key systems. I’ve got admin and access protected appropriately to make sure somebody can’t really hack through that.

“How do you make sure you set up your systems so that it is difficult for a cyber criminal? They will be looking for the easy options, they don’t want to make it difficult for themselves, they are looking for the back doors that companies have left open.”

Incentive

Graeme Newman, CEO of CFC, asked Cameron what the consequences would be if a company did pay a ransom.

She responded: “I try to make it very clear that if businesses in the UK do pay ransom, then that will give criminals an incentive to look to the [country] as a lucrative source of revenue. In my ideal world, nobody would pay ransom, particularly in the UK.

“Businesses would not need to pay ransom [if] they were confident [and] understood how to work around systems being locked up for a period of time. Companies do not want to be in the position to not be prepared properly, to feel under pressure and to feel as if they have no choice but to pay.”

Cyber insurance

Newman stated that there is a growing body of empirical evidence to show that businesses with cyber insurance are less likely to pay than businesses without.

Cameron responded: “That is because it gives businesses a reason to check their cyber risks, to go through their policy and tick off all the possible threats. We don’t want every small business to have to be an expert in cyber risk, we want them to be able to check through their risks. That means they are much less likely to become a victim or to be able to recover quickly if they are subject to an attack.”

For all the latest industry news direct to your inbox, sign up for our daily newsletter.