Insights National Cyber Security Centre (NCSC) and ICO publish joint blog to dispel common misconceptions that discourage organisations from reporting a cyber-attack


The NCSC and the ICO are pressing organisations to be more open about their experience of cyber-attacks, to encourage reporting and prevent future incidents. In the joint blog post, the NCSC and the ICO identify six misconceptions that can discourage organisations from reporting attacks, particularly ransomware attacks, and sets out to dispel them. The misconceptions include the mistaken belief that reporting cyber-attacks to the authorities makes it more likely that the incident will become public, and that paying a ransom automatically makes the incident go away.

With cyber-attacks continuing to cause significant disruption, the NCSC and ICO are concerned about incidents that go unreported because every “hushed up” case that is not shared or fully investigated makes other attacks more likely as no one can learn from them. The NCSC says that being open with the authorities will give victims access to expert support and advice and will be taken into account favourably by the ICO when considering its regulatory response.

The six myths identified by the NCSC and the ICO are:

  1. if I cover up the attack, everything will be ok;
  2. reporting to the authorities makes it more likely your incident will go public;
  3. paying a ransom makes the incident go away;
  4. I have good offline backups; I will not need to pay a ransom;
  5. if there is no evidence of data theft, there is no need to report to the ICO; and
  6. fines are only issued if data is leaked.

The blog post also addresses assumptions about data risk, highlighting that a lack of evidence that data has been stolen does not mean that theft did not take place, while paying a ransom to criminals to restore services quickly can increase the likelihood of being retargeted and does not guarantee stolen information will not be leaked later.

The NCSC and ICO recommend that victims are open in the aftermath of an attack, reporting incidents via the Government’s cyber reporting service and separately to the ICO to fulfil regulatory responsibilities. They also encourage sharing lessons learned with other organisations to help improve wider awareness and cyber resilience. To read the NCSC’s news release and for a link to the full blog post, click here.