Ransomware most immediate cybersecurity threat to UK organisations says NCSC chief

Ransomware is the most immediate cybersecurity threat to UK business with criminals evolving methods of cyber exploitation for profit, Lindy Cameron, CEO of the UK National Cyber Security Centre (NCSC), said in her opening keynote speech of Cyber 2021 at Chatham House October 11. Despite the warnings, new research suggests UK small- to medium-sized enterprises (SMEs) are failing to properly invest in cybersecurity and would rather risk data than slow down business growth.

Evolving attacks make ransomware greatest cybersecurity threat

Reflecting on key themes of the current cyberthreat landscape, Cameron said that ransomware presents the “most immediate danger” to the UK and its UK businesses – from FTSE 100 companies to schools and critical national infrastructure to local councils. She cited the significant impact of recent ransomware attacks, including those against the private sector. Attacks on Ireland’s Health Service Executive, leading to months of disrupted appointments and services, and Hackney Borough Council, leading to IT systems being down for months and property purchases within the borough delayed, are prime examples.

“While ransomware continues to pose a threat, the methodology of ransomware criminals is evolving as they seek more effective ways to make money,” Cameron said. “In addition to shutting down an organisation’s ability to function, many now also threaten to publish exfiltrated data on the dark web. Their intention is clear: to increase pressure on victims to pay.”

Criminals are also increasingly operating beyond UK borders, posing significant law enforcement challenges, Cameron added. “The criminals responsible often operate beyond our borders, are increasingly successful in their endeavours, and pose a global challenge we must fight together to ensure no place becomes a safe haven.”

Whilst ransomware will continue to be an attractive route for criminals if organisations remain vulnerable, Cameron urged victims not to pay ransom demands. “We have been clear that paying ransoms emboldens these criminal groups. It also does not guarantee your data will be returned intact, or indeed returned at all.”

Instead, Cameron urged UK businesses to take steps to better prepare for and defend against ransomware attacks. “Do you know what you would do if it happened to you? Have you rehearsed this? Have you taken steps to ensure your systems are the hardest target in your market or sector to compromise? And if you’d even contemplate paying a ransom, are you comfortable that you are investing enough to stop that conversation ever happening in the first place?” she asked. “We should not view ransomware as a risk we have to live with and can’t do anything about.”

UK SMEs failing to invest in cybersecurity

Despite Cameron’s warnings, new research from Defense.com indicates that UK SMEs are failing to prioritise cybersecurity. According to its findings, over half (54%) of SMEs say their investors only care about growth and not cybersecurity, with 51% preferring to take business risks rather than invest in cybersecurity defences.

In fact, 24% of surveyed businesses have spent nothing on cybersecurity, whilst a further 25% spend less than £1,000 a year. This is despite 35% of SMEs stating that the pandemic has increased their exposure to cyber risks.

Reasons behind the lack of investment include beliefs that small businesses are not a target for attacks, along with the perceived costs involved. Defense.com CEO Oliver Pinson-Roxburgh says “These findings clearly show that British SMEs are not taking cybersecurity seriously. A successful cyberattack has the potential to put an SME out of business, resulting in lost jobs and livelihoods.”