Firms warned to back up data or face ransomware action
The Information Commissioner's Office has issued a warning to UK businesses in the wake of the WannaCrypt ransomware offensive, insisting that if firms do not an effective an back-up policy in place they could be in breach of data protection laws.
The ICO quotes a study which suggests that 54% of UK businesses have been targeted with a ransomware attack in the past 12 months, prompting more than a third of them to lose revenue and many to close completely.
The WannaCrypt attack has so far hit over 100,000 organisations in 150 countries.
In a blog post, ICO group manager for technology Simon Rice warns: "If the personal data which you are responsible for has been encrypted as a result of a ransomware attack and you are unable to restore that data then the ICO could be of the view that you have not taken appropriate measures to keep it secure and have therefore breached the Data Protection Act.
"If you have a back-up from which you can restore a working copy of the data, then a permanent loss of data would not be considered to have occurred. However, the ICO would still need to look at the circumstances of the case to determine whether or not there were appropriate measures in place which could have prevented the attack from succeeding."
Rice goes on to detail a seven-point plan to prevent attacks occurring:
- Check you have basic technical cyber protection against malware and that it is up to date
- Ensure all of your devices have the latest necessary security patches
- Remove unnecessary user accounts (such as guest and unnecessary administrator accounts) and restrict user privileges to only what is necessary
- Remove or disable unnecessary software to reduce the number of potential routes of entry available to ransomware
- Segment your network so that if an attack does take place the damage you suffer is limited
- Importantly, your back-ups need to be protected from also being encrypted – make sure you have an offline and offsite back-up
- Train your staff to recognise a ransomware attack if it does manage to get past your anti-malware protection
Ravi Pather, senior vice president of data security firm Eperi, added: "The point is that it's no coincidence that these cyber-security attacks are more likely to happen to companies that do not invest and have latest approaches to protecting customers and its own confidential and sensitive data.
"In the modern day era distributed and cloud based architectures with a distributed workforce that leverages the productivity of using smartphones and IoT, it's never straightforward to fully protect against such attacks and compromises using traditional IT security approaches. It is an ever moving target. You too have to change the game to stay ahead of the cyber attackers with a new approach.
"The focus has to move from traditional IT security to much more focus on information or data security. The focus has to be on protecting the data itself - wherever it is. This renders the data useless in the case of cyber attacks that attempt to compromise this sensitive data."
to be GDPR compliant.
Register with us for all the news