Rumors of UK government proposals to make ransomware reporting mandatory have been welcomed by a panel of experts at Infosecurity Europe this morning.
The leaked public consultation, due to be published this month, is said to have proposed compulsory reporting of incidents and licensing of payments, as well as a ban on all payments by critical infrastructure firms.
Detective superintended Paul Peters, who is also the director of the Cyber Resilience Centre for Wales, said mandating reporting would help to plug a gap in ransomware awareness among law enforcers and government agencies.
“I’ve been in the cyber investigative area for 10 years and reporting has remained low. I speak to third parties who tell me about successful attacks but no one has involved law enforcement,” he argued.
“We need the intelligence to be able to counter the threat. If we can’t get businesses to start reporting off their own backs, then maybe it is time to consider whether or not …. There’s a legal requirement to report.”
Jon Davies, senior director of cyber defense at News Corp, agreed – adding that at present the security community simply doesn’t know the scale of the problem.
“We’re at the point now where it’s critical, with CNI impacted just this week,” he noted.
A critical incident was declared by NHS England earlier this week, after a ransomware attack on healthcare supplier Synnovis forced hospitals to cancel operations and divert A&E patients in London and the South East.
However, Marsh UK cyber growth lead, Gareth Bateman, urged caution. A similar law on mandatory ransomware reporting in France had “unintended consequences,” he warned.
“It caused a lot of confusion among the French business community around what the various thresholds [are] at which you have to report,” he explained. “I’m not against filling the intelligence picture by ensuring we have full visibility of the problem, but the mechanism by which we capture that intelligence has to be carefully thought through.”
Bateman also criticized reported government proposals to mandate that firms obtain a license before making any payment to their extortionists.
“To me that’s an absolutely disastrous idea. How on earth is a business under significant time pressure going to jump through a bureaucratic process to get a license, and from whom, before they get a payment?” he asked.
“We have to be very careful and guarded about wrapping bureaucracy around a complex problem and trying to simplify it to a point where it doesn’t make sense anymore.”
Read more from Infosecurity Europe: #Infosec2024 Ransomware: The Key Updates You Need to Know
Experts on the panel concluded by urging organizations to prepare now for the inevitability of a ransomware breach.
“Prepare, plan and test,” said Davies. “Make sure you have a plan in place, and if not work with law enforcement and agencies, to build an incident response … disaster recovery and business continuity plan. And make sure you have the right people in the room to test that the plan works.”
The Cyber Resilience Centre for Wales’s Peters added that there’s also a need for greater user awareness inside the organization.
“For me it’s also about educating your staff from top to bottom,” he concluded. “Everyone needs to understand the basic principles and put them in place. And tell the police. Use Action Fraud to report it.”