Major cyberattacks in the UK go unreported, M&S chairperson told a parliament sub-committee recently.
Following a nearly three-month long public consultation, the UK is set to ban public sector bodies, such as the NHS, local councils and schools, from paying ransoms demanded by cybercriminals.
The government says that the ban will protect critical services in the country by choking the business model that fuels cyber-criminal activity, effectively making public sector bodies a less attractive target for ransomware groups.
The public consultation was launched earlier this January, following a number of high-profile cyberattacks in the country, estimated to have cost the country millions of pounds.
Last year, 19 train stations across the UK were hit, which followed a massive attack on the NHS ambulance system in 2023 affecting access to electronic patient records.
More recently, retailers Marks and Spencer (M&S), Harrods, Victoria’s Secret and supermarket Co-op became some of the latest private sector victims of cyberattacks.
Private sector bodies, not covered by the ban, would still be required to notify the government of any intent to pay a ransom. The government says it will provide these businesses support and advise them if their ransom payment could be breaking the law.
In addition, mandatory reporting is also being developed, which would equip law enforcement with data on the rate and nature of the attacks.
Earlier this month, M&S chairperson Archie Norman told the UK government that major cyberattacks in the country go unreported.
“It is apparent to us quite a large number of serious cyberattacks never get reported,” he told a parliament sub-committee on 8 July.
“We have reason to believe there have two major cyberattacks on large British companies in the last four months that have gone unreported.”
According to the government, nearly three quarters of those who took part in the consultation responded positively to the proposal to ban public sector ransom payments.
“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on. That’s why we’re determined to smash the cybercriminal business model and protect the services we all rely on,” said UK security minister Dan Jarvis.
“By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.”
The government is also urging organisations in the country to bolster their cybersecurity capabilities by having offline back-ups, tested plans to operate without IT support for an extended period, as well as having a well-rehearsed strategy for restoring systems.
The new plan is supported by large-scale victims of cyberattacks in the country. “The British Library, which holds one of the world’s most significant collections of human knowledge, was the victim of a devastating ransomware attack in October 2023,” said Rebecca Lawrence, the CEO of British Library,
“The attack destroyed our technology infrastructure and continues to impact our users, however, as a public body, we did not engage with the attackers or pay the ransom.”
While Co-op CEO Shirine Khoury-Haq said, “We know first-hand the damage and disruption cyber-attacks cause to businesses and communities.
“This is a step in the right direction for building a safer digital future.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.