Ransomware: Five steps every business should take

Ransomware attack

In 2021, cyber security is never far away from the headlines. In the last month alone, the Irish health service was hit by a significant ransomware attack, leading to a total shutdown of its computer systems and widespread disruption to services.

On the other side of the Atlantic, the owners of a gas pipeline which delivers 45% of the fuel supplies to the populous east coast region of the US were hit by a similar attack. The pipeline was temporarily shut down amid safety and security fears and only reopened after a ransom, reported to have been over £3 million, was paid. These attacks on critical national infrastructure show just how sophisticated and dangerous ransomware attacks can be.

A ransomware attack involves criminals unlawfully accessing computer systems and then encrypting (and sometimes stealing) data. Victims are left a message saying that they can only recover their data by paying a ransom. Whilst the attackers are committing criminal offences under computer misuse legislation, they are very difficult to trace and may be based anywhere in the world, making them almost impossible to bring to justice. Many victims feel they have no choice but to pay up or lose everything.

It is clearly far better to protect your business against ransomware attacks than managing the devastating consequences of a successful attack. But what is the best way of dealing with this growing threat?

Data protection law requires businesses to take ‘appropriate technical and organisational measures’ to keep information about identifiable individuals secure. There are lots of expensive technical IT security solutions on the market and so you will need to shop around for something that works for your business. In the meantime, here are five simple organisational measures you can take now to protect your business.

Know your data

You need to know what data you hold, where it is held (and backed up), and what is business critical to you. This is crucial to deciding how best to protect yourself. So carry out an information audit to find out what you hold, the sensitivity of the data, and the risks to both individuals and your business if that data became unavailable. Your information audit will inform the sorts of technical measures you need to implement to keep data secure.

Understand the threats

Cyber risks are constantly evolving. It’s very difficult for businesses outside of the technology sector to stay completely up to date. So start by following the guidance issued by the National Cyber Security Centre and sign up for their alerts. The NCSC website has some great advice for small businesses.

Train your staff

Although ransomware attacks can be very sophisticated, the criminals still need to find a way to gain access to your systems. And the easiest way of doing that is often by tricking employees into disclosing log-in details or clicking links that result in malware being installed. Make sure your staff are not your weakest security link by ensuring that they are trained and regularly reminded to look out for threats.

Have a plan (and test it)

If you want to be prepared should the worst happen, then putting in place a plan to deal with cyber-attacks is essential. Your plan should include key steps to get your business back up and running as quickly as possible, as well as clear lines of responsibility. Communications may be difficult if the cyber-attack has affected your IT systems, so your plan should cover communications with employees, suppliers and contractors, as well as with statutory authorities such as the police and the Information Commissioner’s Office. And don’t forget to test your plan regularly, and make changes to ensure it works.

Don’t hoard data

Finally, ensure that you regularly cleanse the data you hold. Too many businesses are afraid of deleting information that they no longer need. Make sure that you adhere to the data minimisation principle and only retain information that you really need.

Taking the steps above cannot guarantee that your business will be safe from sophisticated ransomware attacks, but they will go a long way to helping make your business more resilient to these ever-present threats.

Jon Belcher

Jon Belcher

Jon Belcher is a specialist data protection and information governance lawyer at Excello Law.
Jon Belcher


Jon Belcher is a specialist data protection and information governance lawyer at Excello Law.