Cyber_Bytes Issue 64

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

NCSC Publishes guidance for organisations considering payment in ransomware incidents

The National Cyber Security Centre has published guidance for organisations considering payment in ransomware incidents, developed in conjunction with the Association of British Insurers, the British Insurance Brokers’ Association, and the International Underwriting Association.

Key points include:

• Alternative Solutions: Companies should consider viable backups and unexpected methods to recover systems and data instead of paying ransoms.
• Consulting  Experts: Decision-making should involve consulting insurers, law enforcement, and cyber incident response specialists.
  Be aware that  payment does not  guarantee access to data: There is a chance that decryption keys will not work and, even if they do, it will take time to run across large networks.
• Consider the correct legal and regulatory practice around  payment: There are a range of legal risks involved in paying a ransom which need to be considered and mitigated to the extent possible.
• Payment of a ransom does not fulfil regulatory obligations: The ICO has made clear that payment of a ransom, including for deletion of data, does not affect the level of risk to data subjects and the resulting notification obligations.
• Report to the UK authorities: The NCSC will usually expect to be informed about ransomware incidents, particularly where payment of the ransom is being considered.

Click here to read the NCSC's full guidance.

Leader of LockBit ransomware group sanctioned

The identity of the leader of LockBit, the notorious cyber-crime group, has been named by law enforcement agencies. This individual has now been sanctioned, as announced by the UK Foreign, Commonwealth and Development Office, alongside the US Department of the Treasury’s Office of Foreign Assets Control and the Australian Department of Foreign Affairs.

LockBit offers ransomware-as-a-service (RaaS) to a global network of hackers, supplying them with the tools and infrastructure to perpetrate cyber-attacks internationally. Between June 2022 and February 2024, it is estimated that more than 7,000 attacks were built using LockBit's services, with the top five impacted countries being the US, UK, France, Germany, and China.

Commenting on this development, the Director General of the National Crime Agency, Graeme Biggar, states that “These sanctions are hugely significant and show that there is no hiding place for cyber criminals... who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong."

Click here to read more from the National Crime Agency.

ICO urges organisations to boost cyber-security amidst growing threat of cyber attacks

The ICO has issued a call for organisations to boost their cyber security and protect the personal data they hold. This comes amid the growing threat of cyber-attacks as over 3,000 cyber breaches were reported in 2023.

The ICO refers to a report containing practical advice to assist organisations with understanding common security failures and addresses steps that can be taken to improve security and prevent cyber breaches. The report focuses on five leading causes of cyber-security attacks:

1. Phishing: where scam messages trick the user and persuade people to share passwords or accidentally download malware.
2. Supply chain attacks: where products, services, or technology organisations use are compromised and then used to infiltrate their own systems.
3. Brute force attacks: where threat actors use trial and error to guess username and password combinations, or encryption keys.
4. Denial of service: where threat actors aim to stop the normal functioning of a website or computer network by overloading it.
5. Errors: where security settings are misconfigured, including being poorly implemented, not maintained and or left on default settings.

Click here to read the ICO's statement. Click here to read the ICO's report.

Information Commissioner highlights persistent breaches of sensitive information failing people living with HIV

The ICO called out failing data protection standards at health services for people living with HIV following several breaches and concerns raised by major UK HIV representative-organisations.

In 2022/23, the health sector was the most common source of data breach reports to the ICO, accounting for over a fifth of all personal data breaches.

The ICO has previously issued fines and reprimands for data breaches involving various health organisations, such as the Central Young Men's Christian Association, HIV Scotland, and NHS Highland. These breaches led to a loss of confidentiality over the identity of HIV patients, which has led to a drive for better staff training, appropriate technical procedures and prompt reporting.

The ICO highlights some key pieces of advice for organisations, such as:

1. Ensuring that staff receive thorough data protection training.
2. Ensuring that appropriate technical measures are in place, such as passwords and access controls.
3. Avoiding using BCC when sending bulk communications and opting for bulk email services, mail merge, or secure data transfer services.
4. Training staff on the data breach reporting process.

Click here to read the ICO's press release.

Tech Minister delivers speech on UK cyber resilience

Tech Minister Saqib Bhatti MP recently delivered a speech to the National Cyber Security Centre's CyberUK 2024 conference in Birmingham. In his address, Mr Bhatti underscored the critical importance of cyber resilience for the UK.

The Government’s National Cyber Strategy focuses on several key areas: improving cyber resilience, fostering growth in the cyber security sector, enhancing cyber security skills, and addressing the security of new and emerging technologies such as AI, quantum computers, and semiconductors. He highlighted three significant challenges: ensuring that technology is “secure by design”; strategically managing cyber risk; and implementing effective rules and controls.

Mr Bhatti also set out a new Code of Practice for software vendors, which sets out how developers and vendors can look to ensure software is developed and maintained securely, with improved information sharing through supply chains. The code sets out four principles:

1. Secure design and development
2. Build environment security
3. Secure deployment and maintenance, and
4. Communication with customers.

He also announced a new Code of Practice in the Cyber Security of AI, which is based on the NCSC's Guidelines for secure AI system development and is intended to form the basis of an international standard on AI cyber security.

Click here to read Mr Bhatti's speech. Click here to read the Code of Practice for Software Vendors and click here to read the Code of Practice on the Cyber Security of AI.

Government issues cyber security standards for schools and colleges

The Government has published guidance on standards that schools and colleges should meet in relation to cyber security and user accounts. This aims to mitigate the significant operational and financial impact that cyber incidents and attacks have on schools and colleges.

The Government guidance also refers to the Cyber Essentials certification programme, which aims to provide these organisations with increased assurance over the technical elements of cyber security. Whilst Cyber Essentials is not a requirement and is open to organisations across all sectors, schools and colleges are urged to complete it as part of their cyber security activities.

Click here to read the government's guidance. Click here to read more about Cyber Essentials.