ICO ransomware guide and checklist for businesses
The Information Commissioner’s Office (ICO) has produced guidance to help businesses establish incident response, disaster recovery and business continuity plans to address the heightened risk of ransomware attacks.
Ransomware is an increasingly prevalent form of cyber-attack. Personal data breaches from the ICO’s caseload during 2020/2021 have seen a steady increase in the number and severity of cases caused by ransomware. The ICO’s new guidance includes a checklist of actions businesses should review to assess their preparedness against potential ransomware attacks on their organisation including:
Governance – ensuring that policies are in place covering mitigation against potential ransomware attacks
Asset identification – ensuring the business knows and has classified the personal data processed and the assets that process it, so that they can identify what data may have been compromised
Technical control selection – ensuring that there is set of practical controls in place to prevent ransomware
Access controls – ensuring that there are strong access controls for systems that process personal data, for example multi-factor authentication
Vulnerability management – ensuring that the business knows where their systems are vulnerable and what to do about this
Staff education and awareness – ensuring that staff have awareness of the kind of attacks such as phishing which might inadvertently lead to them compromising the security of the IT systems.
Detection – ensuring controls are in place to detect and respond to attacks before they compromise data.
Incident response – ensuring an incident response plan is in place, tested, and followed in the event of a ransomware attack,
Disaster recovery – ensuring a plan is in place to restore personal data in a timely fashion
Assurance – ensuring that testing of all the above measures is carried out according to industry standards.
The guidance also includes eight useful scenarios which businesses can use to become better prepared for the different types of attack and how they might respond, and links to many different online tools which will help to prepare for and protect against ransomware attacks.
The ICO supports the position of law enforcement in not encouraging, endorsing or condoning the payment of ransom demands to criminals by businesses who have lost access to their systems and data. The ICO also does not consider the payment of a ransom as an ‘appropriate measure’ to restore personal data in the event of a disaster. Businesses that choose to pay the ransom to avoid the data being published should still presume that the data is compromised. They should take actions accordingly to mitigate the risks to individuals even though the ransom fee has been paid, and – where necessary – inform the ICO of the breach.
For further information visit: Ransomware and data protection compliance | ICO