Mitigo's response to the Governments proposed ban on ransomware payments

These proposals are a well intentioned attempt to tackle the rising frequency, cost and disruption to organisations of all shapes and sizes across the UK as a result of ransomware attacks by organised criminals, many of which are based in Russia. They follow on from the Government's draft Code of Practice on cyber security governance.

However, a number of points should be born in mind.

The proposal for a complete ban on the public sector and critical national infrastructure paying ransom demands, intended to deter these types of attacks against them, may result in the redirection of attacks against businesses in the private sector, with biomedical and life science businesses being a prime target.
 
Although the headlines in the press feature the high profile attacks against public bodies, the reality is that the overwhelming majority of ransomware attacks are against businesses in the private sector.

The proposals in relation to the private sector would make it mandatory to report ransomware incidents to the authorities, and also to notify an intention to pay the ransom before actually doing so. Law enforcement would then review the proposed payment to see if there is a reason to block it, for example if it breached sanctions. This would create an additional burden on the victim business, on top of the stress of negotiating with the criminals over payment and trying to limit the damage and disruption to its business and client affairs.

And what if the payment is blocked? It could be the difference between the business surviving or not. If businesses decide to pay ransom demands it is  because commercially they feel forced to. Losing all client data and access to systems could leave the business permanently crippled.

The prevention of a payment will not itself prevent criminal gangs from capitalising on data theft, for example by selling it on to facilitate other serious crime, such as card not present fraud, identity theft, breaking passwords or user names to get into bank accounts etc.

Also bear in mind that these proposals relate to ransomware attacks. Cyber crime and cyber disruption involves a much fuller range of attacks which these proposals do not touch. 

The bottom line is that the business should prioritise prevention of a cyber breach in the first place. Cyber risk management should be right at the top of any companies risk register and a board level responsibility.
                                    
Lindsay Hill, Chief Executive, Mitigo cybersecurity (Bionow partner for cyber risk management)