In mid-December, we received a comment from Richard via the 'Contact us' form on our website regarding the guidance we'd published on protecting your organisation from ransomware. Specifically, it related to a line in the guidance which read:
"Backups should be considered a last resort only, as the adoption of good security practices will mean not getting ransomware in the first place."
Richard correctly noted that this line could be misinterpreted by a busy reader as 'the NCSC does not advocate keeping backups'.
Just to be clear: the NCSC recommend organisations use backups as a way to help mitigate against a wide range of potentially catastrophic problems, such as fire, theft, flooding, and - naturally - ransomware. Our intention with this paragraph was to note that whilst a backup can help minimise the harm that a ransomware incident causes to an organisation (assuming the backup is current, and is not able to be compromised itself by the ransomware), backups shouldn't be seen as the primary defence against ransomware. Backups are a last resort, rather than a primary protection. It's better to design and operate your systems in such a way as to minimise the chances of ransomware gaining a foothold, and to use backups as a mitigation should this occur.
So, thank you, Richard, for pointing out the ambiguity in our original guidance. We've since amended the original text to clarify our meaning. We've also added some references to Cyber Essentials which should have been included.
In the meantime, please do get in touch with us, via blog comments or the 'Contact us' form, if you spot any content which isn't as clear as it could be. Your collective insights can help us improve the quality of the NCSC advice and guidance for everyone.
Tech Director for Assurance