With more and more businesses moving their processes online, The Information Commissioner’s Office (ICO) has urged organisations to recognise the importance of keeping themselves and their customers safe from online scams.

The ICO is recommending that companies establish incident response, disaster recovery and business continuity plans to address the heightened risk of ransomware attacks.

The recommendation accompanies ICO’s new guidance and includes a checklist of actions businesses should review to assess their preparedness against potential ransomware attacks.


What is ransomware?

Ransomware is an increasingly prevalent form of cyber-attack. Unsuspecting users typically click on a link (often in an email) which then installs malicious software. Scammers then threaten to publish the victim’s personal data or block access to their system until a ransom is paid.


Ransomware attacks are on the increase

Personal data breaches from the ICO’s caseload during 2020/2021 have seen a steady increase in the number and severity caused by ransomware. The guidance presents the eight most common ransomware compliance issues the ICO has seen:

  • Scenario 1: Attacker sophistication
  • Scenario 2: Personal data breach
  • Scenario 3: Breach notification
  • Scenario 4: Law enforcement
  • Scenario 5: Attacker tactics, techniques and procedures
  • Scenario 6: Disaster recovery
  • Scenario 7: Ransomware payment
  • Scenario 8: Testing and assessing security controls


Ransomware payment and data protection compliance

In its guidance, the ICO supports the position of law enforcement in not encouraging, endorsing or condoning the payment of ransom demands to criminals by businesses who have lost access to their systems and data.

The ICO also does not consider the payment of a ransom as an ‘appropriate measure’ to restore personal data in the event of a disaster. Businesses that choose to pay the ransom to avoid the data being published, should still presume that the data is compromised. They should take action accordingly to mitigate the risks to individuals even though the ransom fee has been paid and – where necessary – inform the ICO of the breach.

For more information about ransomware and data protection compliance, please head to the ICO website.



To read news and blogs from Rebecca Austin, click here >>