In the past year, the UK government has signaled that it intends to take a more proactive stance on tackling ransomware by introducing a targeted ban on ransomware payments.
Under the proposed measures, all publicly funded bodies and critical national infrastructure providers (CNIs), including the NHS, schools and local councils, would be prohibited from paying ransoms.
Field CTO EMEAI at Commvault.
In parallel, the government intends to introduce a mandatory ransomware pre-payment notification regime that will impose new reporting duties on private companies. While businesses would still retain the legal ability to pay, they will have to notify the government of their intention to do so.
Designed to “strike at the heart of the cybercrime business model”, the government’s proposed ransomware payment ban aims to make UK public services a less tempting target for cyber criminals by eliminating any financial incentive.
However, concerns are growing that the ban and the new notification scheme will have unintended consequences for private sector businesses.
The compliance conundrum
Since public sector entities would become less attractive targets, the worry is that attackers will redirect their efforts and double down on targeting private sector companies. Should this happen, it means that SMEs, retailers, manufacturers, and non-profits will be firmly in the crossfire of cyber criminals.
Meanwhile, the pre-payment notification regime has significant implications for private sector firms who will be required to engage with authorities and report their intention to make a ransomware payment.
Companies that fall victim to ransomware will face a real-world dilemma should the government decide to exercise its blocking powers and sanction any payment being made.
While no firm wants to pay a ransom, many may feel there is little choice but to pay and risk criminal charges should the company’s survival be at stake. It also risks forcing ransomware payments underground, should organizations decide to make payments in secret rather than face bankruptcy.
Our recent research highlights the conundrum private sector firms now face. While 94% of UK business leaders say they support the principle of a payments ban for public entities, they were more ambivalent about compliance.
A significant 75% admitted that if the ban were to be extended to the private sector, they would still pay a ransom if it were the only way to save their organization, regardless of whether civil or criminal penalties applied. Just 10% were able to say with conviction that they would comply in the event of an attack.
The implication of these findings brings the likelihood of full compliance with the government’s proposed notification regime into question. Faced with seeking government pre-approval for ransomware payments, companies may decide to discretely pay off attackers and resolve the incident without notifying regulators.
Given the growing likelihood of an attack and the fact that ransomware payment decisions will expose organizations to a number of ethical, legal, and practical challenges, private sector firms must take steps to strengthen their cyber resilience and reduce their reliance on paying ransoms in the event of an attack.
Taking a business-first approach: adopting the minimum viability model
The minimum viable company (MVC) concept offers organizations a pragmatic and business-first approach to maintaining essential services during a cyber attack.
For many organizations, being able to continue to operate, even in a reduced way, will make all the difference when it comes to minimizing disruption until a full recovery can be achieved.
The primary focus of MVC approach is to initially restore the services that are essential for maintaining critical operations and reducing operational downtime. By focusing only on mission-critical services needed to maintain essential functionality, organizations gain the time they need to facilitate a full recovery.
To create an effective MVC framework, organizations will need to:
1. Identify the fundamental applications and services that must always stay secure and operational. Typically, these will include authentication and identity management, communication platforms such as email and collaboration tools, financial and customer-facing applications, and core operational workflows.
2. Invest in advanced data protection mechanisms such as immutable air-gapped backups that cannot be altered or deleted by bad actors. This will help keep the organization's most valuable information intact and recoverable.
Undertaking regular recovery point validation will be crucial here for corroborating that the organization can indeed help assure the availability of clean data for restoration.
3. Clearly define the roles and responsibilities of key stakeholders so that the organization can deliver on its recovery objectives. Running regular scenario-based recovery drills will help ensure everyone is prepared to undertake a faster and more effective restoration to a minimum viable state.
The goal here is to test the organisation’s readiness and ability to recover from an attack and continuously improve processes and procedures.
Building a future-ready organization
Once the government formalizes its proposed payment ban and new mandatory reporting requirements, UK businesses will need to be prepared for what happens next.
Until then, organizations operating in both the public and private sectors must have a clear and actionable plan in place to restore critical systems, data, and processes following an attack, especially as paying a ransom rarely guarantees recovery and can often increase the probability of being targeted again.
By incorporating minimum resilience principles into resilience planning and recovery strategies, organizations will be able to potentially minimize the likelihood of complete operational failure when an attack occurs.
We've featured the best encryption software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.