Ransomware is the most significant cybersecurity threat facing organisations ranging from critical national infrastructure providers and large enterprises to schools and local businesses – but it's a threat that can be countered.
In a speech at the Chatham House Cyber 2021 Conference, Lindy Cameron, CEO of the UK's National Cyber Security Centre (NCSC), warned about several cybersecurity threats facing the world today, including supply chain attacks, the threat of cyber espionage and cyber aggression by hostile nation states, and cybersecurity exploits and vulnerabilities being sold to whoever wants to buy them.
But it's ransomware that is "the most immediate danger to UK businesses and most other organisations," said Cameron, who warned that many businesses are leaving themselves vulnerable because "many have no incident response plans, or ever test their cyber defences".
Drawing on examples of high-profile ransomware attacks around the world, including the Colonial Pipeline ransomware attack, the ransomware attack against Ireland's Health Service Executive and the ransomware attack against Hackney Council, Cameron detailed the "real-world impact" that these cyberattacks have had over the past year as cyber criminals encrypt networks and attempt to demand ransom payments of millions for the decryption key.
One of the reasons why ransomware is still so successful is because some victims of the attacks will pay the ransom, perceiving it to be the best way to restore the network as quickly as possible – despite warnings not to pay.
"We expect ransomware will continue to be an attractive route for criminals as long as organisations remain vulnerable and continue to pay. We have been clear that paying ransoms emboldens these criminal groups – and it also does not guarantee your data will be returned intact, or indeed returned at all," said Cameron, who also detailed how many ransomware groups are now stealing data and threatening to leak it if the ransom isn't paid.
"Their intention is clear: to increase pressure on victims to pay," she said.
In recent months, the impact of ransomware has become so great that world leaders have discussed it at international summits.
"We should not view ransomware as a risk we have to live with and can't do anything about. We've seen this issue become a leader-level G7 topic of conversation this year. Governments have a role, and we are playing our part," said Cameron.
"We are redoubling our efforts to clamp down and deter this pernicious and spreading crime, standing firm with our global counterparts and doing our best to turn this into a crime that does not pay," she added.
But while governments, law enforcement agenices and international bodies have a role to play in helping to fight back against ransomware attacks, businesses and other organisations can also examine their own defences and what plans they have in place, should they fall victim to a ransomware attack.
"Victims also have agency here, too. Do you know what you would do if it happened to you? Have you rehearsed this? Have you taken steps to ensure your systems are the hardest target in your market or sector to compromise? And if you would consider paying a ransom, are you comfortable that you are investing enough to stop that conversation ever happening in the first place," said Cameron.
Actions like applying security patches and updates promptly and using multi-factor authentication can help protect networks from cyberattacks – and the NCSC has published advice on how businesses can help protect their networks, emphasising that cybersecurity must be a board-level issue.
"One of the key things I have learnt in my time as NCSC CEO is that many – in fact, the vast majority – of these high-profile cyber incidents can be prevented by following actionable steps that dramatically improve an organisation's cyber resilience," said Cameron.
"Responsibility for understanding cybersecurity risks does not start and end with the IT department. Chief executives and boards also have a crucial role," she said. "No chief exec would get away with saying they don't need to understand legal risk because they have a general counsel. The same should be true of cyber risk."