The UK’s chief cybercrime fighter has warned companies and other organisations that paying ransomware demands does not guarantee the end of a cybersecurity crisis.
Felicity Oswald, chief executive of the National Cyber Security Centre (NCSC), made her remarks as the insurance industry came together to launch a national campaign to strengthen the response to ransomware attacks on computers.
Launched at this week’s CYBERUK 2024 conference in Birmingham, the campaign aims to offer organisations a beefed up model to deal with criminals hacking into computer networks.
The launch comes as concerns grow about the rising threat of ransomware attacks. Next week, Board Agenda will host a special webinar on cybersecurity, exploring how boards can prepare.
Oswald said the joining together of the Association of British Insurers (ABI), the British Insurance Brokers’ Association (BIBA) and the International Underwriting Association (IUA) was an “encouraging” moment in the fight against cybercrime.
She warned ransom payments provide little certainty. “The NCSC does not encourage, endorse or condone paying ransoms, and it’s a dangerous misconception that doing so will make an incident go away or free victims of any future headaches.
“In fact, every ransom that is paid signals to criminals that these attacks bear fruit and are worth doing.”
Sixfold increase
A survey by Sophos, a cybersecurity consultancy, revealed last month that 59% of organisations were hit by ransomware last year, a slight drop on the previous two years, but the average payment has increased 500%, globally.
Among the organisations that reported paying ransom demands across 14 countries, the average payment was $2m (£1.58m), up from $400,000 in 2023. The average cost of recovery in the survey group of 5,000 people was $2.7m.
In other research, 87% of UK organisations were said to be “vulnerable” to cyber attack. Produced by Microsoft and Goldsmiths College, the study said only 13% of organisations were “resilient” to attack. A hefty 39% were declared to be “at high risk”.
Microsoft director of security Paul Kelly said that criminals were “tooling up” with AI to “increase the sophistication” of attacks.
Last year, there were reports that ransom criminals may be asking companies for their cyber insurance details as a way of calibrating their demands.
The new campaign’s model is a best practice guide, based on research conducted for NCSC by the Royal United Services Institute, a security think tank.
The guidance aims to “improve market-wide discipline” in managing cyber-attacks through the need for a business impact assessments, reporting protocols and knowing how to access support.
The conference also saw the NSCS’s chief technology officer, Ollie Whitehouse, express concern about the obstacles to introducing secure technology.
“We know how to design and build resilient, secure technology. We just need a market that supports and rewards it.”
In the age of artificial intelligence, technology has become a major agenda item for boards. Cybersecurity is a key element of that.