A Ransomware Briefing for UK Businesses: Key Roundtable Takeaways

Cybersecurity is a high priority for businesses large and small – but most of all, as the law catches up with cyber criminals, there must be greater collaboration and knowledge sharing, according to our expert panel.

Madeline Carr, Director of RISCS & Professor of Global Politics & Cyber Security at UCL

Flavia Kenyon, Barrister, 36 Commercial

Patrick MacGloin, Board Director, Chartered Institute of Information Security

Adrian Nish, Head of Cyber, BAE Systems Applied Intelligence

Gunter Ollman, Chief Security Officer, Devo Technology

What does the UK cybersecurity landscape look like in 2021?

GO: You can’t escape from ransomware in the news. There is a lot of fear. It is the number-one challenge on the list of CISOs and security leaders worldwide, and it keeps them awake at night. It is a grim picture, and that’s why it is vital that we share knowledge, raise awareness, and debate about whether to pay these ransoms. It’s important to realise how professionalised these ransomware groups are. We are not talking about college kids distributing malware for a bit of cash on the side. We’re dealing with two decades of ecosystem growth and maturity – accelerated by cryptocurrency – on the dark web. The dynamics are incredibly fluid and broad, and the ecosystem overlaps money laundering and drugs.

AN: We’ve tracked ransomware as a growing threat for the past decade or so, and it ramped up at the start of last year, when the coronavirus crisis began. Several of these groups cottoned onto a new business model whereby they do not just encrypt data and try and ransom organisations, but they also steal data and they publish that data on blogs, extorting the victims to pay up as well. That shifted the dynamic. The criminals have discovered a new way to put pressure on organisations and therefore increase the number of payments that get made. Our tracking data shows that 7% of victims – a large majority of whom are based in America – are removed from the blogs, suggesting they are paying the ransom.

MC: Ransomware is the latest headache for boards, but we see an increasing appetite for collaboration and information sharing. There is an understanding that it is not a matter of “if” but “when” an organisation will fall victim. It’s vital for boards to be having conversations about responsibility, what happens when they are breached – whether they pay a ransom – but, moreover, ensuring the critical assets are not lost or compromised. Forward planning with technical teams is crucial. In line with this, we see a new breed of CISO that is technical and strategic and can align cybersecurity with the business objectives. Of most significant concern, though, is the smaller businesses that don’t have the resources as larger organisations. As a result, the SME sector is very vulnerable to cybercrime.

Should ransomware payments be illegal?

POLL RESULT: 44% think ransomware payments should be made illegal

FK: The answer is a resounding “yes” from me. The current legal position is that making a ransom payment per se is not unlawful. What is unlawful is making that payment to terrorist organisations or prescribed groups in breach of international sanctions. As a lawyer, I find this position very troubling. For example, in the real world of fiat, as opposed to the digital world of cryptocurrencies, paying an organised criminal group is a money laundering offence under the Proceeds of Crime Act 2002. But, for policy considerations, there is a reluctance to extend legislation to cyberspace. We need to work together to remove the stigma and secrecy attached to organisations that find themselves in this terrible predicament and have to pay the ransom behind closed doors. The onus is on the government to protect victims of crimes. Additionally, we must shift the focus from a culture of blame and negativity to a positive perspective of prevention, deterrents and protection. Finally, there needs to be better dialogue between the cybersecurity experts, law enforcement and the governments.

PM: The argument that it should be illegal to pay a ransom, particularly around the moral hazard components, has been put forward, especially in the US, where there has been a spike in cybercrime activity. This argument is fuelled by the insurance market, though this dynamic is changing rapidly due to the heavy losses. The truth is, it’s very complex and non-binary. There are parallels to be drawn with paying ransom to kidnappers. You pay the money to get your child back in one piece, hopefully, but there is no such guarantee in the cyber world. There are, however, negotiating strategies you can use to reduce the amount. Another point is that because ransomware-as-a-service has lowered the entry barrier, we see criminals who might not be very technically minded making sloppy mistakes. So at one end of the scale, you have highly professional groups, but at the other end, there are criminals who might not actually have your data, despite demanding a ransom.

GO: Ransomware has evolved with monetisation – from credit cards and gift cards to cryptocurrencies. It is easy for criminals to leverage cryptos. If we take out that monetisation vector [through governments putting more legislation and regulation in place], they will be forced to move on. Interestingly we see nation-state involvement in ransomware and, according to a Microsoft report from last year, North Korea is one of the key players.

POLL RESULT: 88% of people think governments should be doing more to support UK businesses

MC: Any board should be asking questions about business resilience and continuity. We see a trend that the c-suite increasingly understands that all cybersecurity areas have to be fully integrated into risk evaluation. It should not be treated as something separate that the CISO, CIO, or CTO has to manage. There needs to be better dialogue between boards and the tech executives, though. If the message is watered down or not understood, it can be difficult.

PM: We have seen five years’ worth of the economy going online in the first nine months of the coronavirus crisis and many businesses moved to cloud computing. But, unfortunately, there is a false perception that your data is safe in the cloud. The cloud has many advantages, but it doesn’t mean that everything is backed up and immutable.

GO: Businesses should operate in “assume breach” mode. There has to be a zero-trust framework for security within organisations. You have to remember that you are a small part of a big, complex, vast professional ecosystem if you are targeted by ransomware. You have to be prepared, and prevention is better than cure.

FK: I would advise businesses to get the best cybersecurity and legal help possible. At the moment – and until and unless the law becomes clear and less fragmented – have a good risk-based sanctions compliance programme in place, and do not pay the ransom.