Brian Sims

Experts challenge myths attributed to cyber attack reporting

LEADING CYBER security experts are pressing organisations to be more open about their experience of cyber attacks in order to encourage reporting and prevent future incidents.

In a new joint blog post, the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) identify six misconceptions that can discourage organisations from reporting attacks, particularly ransomware attacks, and are setting out to dispel them.

The misconceptions include the mistaken belief that reporting cyber attacks to the authorities makes it more likely the incident will become public and also that paying a ransom automatically makes the incident go away.

With cyber attacks continuing to cause significant disruption, the NCSC and the ICO are concerned about incidents which go unreported because every ‘hushed up’ case that isn’t shared or fully investigated makes other attacks more likely as no-one can learn from them.

Being open and transparent with the authorities will afford victims access to expert support and advice and is something that will be taken into account favourably by the ICO when considering the regulatory response.

The six ‘myths’ which the NCSC and the ICO have identified as commonly held by those organisations who’ve fallen victim to cyber incidents are as follows:

*If I cover up the attack, everything will be OK

*Reporting to the authorities makes it more likely your incident will go public

*Paying a ransom makes the incident go away

*We have good offline back-ups so we will not need to pay a ransom

*If there is no evidence of data theft, you don’t need to report to the ICO 

*You’ll only receive a fine if your data is leaked

Report incidents, seek support

Eleanor Fairford, deputy director for incident management at the NCSC, said: “The NCSC supports victims of cyber incidents every day, but we are increasingly concerned about the organisations that decide not to come forward. Keeping a cyber attack secret helps nobody except the perpetrators. That being so, we strongly encourage victims to report incidents and seek support to help effectively deal with the fall-out.”

Fairford added: “By responding openly and sharing information, organisations can help mitigate the risk posed to their operations and reputation, as well break the cycle of crime and help prevent others from falling victim.”

While the NCSC – as the national technical authority on cyber security – and the ICO (itself the national data protection regulator) have different functions, both organisations work with victims of cyber incidents every day and have witnessed a wide range of incident responses.

Mihaela Jembei, the ICO’s director of regulatory cyber, explained: “It’s crucial that businesses are aware of their own responsibilities when it comes to cyber security. The fact remains that there’s a regulatory requirement to report cyber incidents to the ICO, but transparency is more than simply complying with the law. Cyber crime is a borderless and global threat and it’s through knowledge sharing that we can help organisations to help themselves.”

Jembei concluded: “It’s also really important that businesses don’t lose sight of their basic cyber hygiene practices in a world where we are always hearing about new and exciting technologies and the risks they may pose.”

Expert advice

Victims of cyber crime who are proactive with reporting can benefit from expert NCSC advice and, following this, can positively impact the ICO’s response.

The blog post also addresses assumptions about data risk, highlighting that a lack of evidence that data has been stolen does not mean theft did not take place, while paying a ransom to criminals to restore services quickly can increase the likelihood of being targeted once again and does not guarantee stolen information will not be leaked at a later juncture.

The NCSC and the ICO recommend that victims are open in the aftermath of an attack, reporting incidents via the Government’s cyber reporting service and separately to the ICO to fulfil regulatory responsibilities. They also encourage sharing lessons learned with other organisations to help improve wider awareness and cyber resilience.

More guidance on how to effectively detect, respond to and resolve cyber incidents can be found on the NCSC’s website, including dedicated advice on handling ransomware attacks.

The NCSC is not a regulator. The organisation provides support to victim organisations in confidence and does not share information about an incident with the ICO without an organisation’s consent. Victim organisations should report cyber breaches directly to the ICO.

Company Info


64 High Street, RH19 3DE
East Grinstead
RH19 3DE

04478 18 574309

Login / Sign up