The NHS cyber-attack — what happened, why and what can small businesses learn?
The inevitable finally happened. Commentators and experts have been warning for some time that the NHS was vulnerable to a cyber-attack. And last Friday their fears came true, with as many as 40 hospitals and 24 NHS trusts hit by a virulent ransomware, locking staff out of systems and potentially putting lives at risk.
But despite the well-known vulnerability of the NHS, this wasn’t a targeted attack. In fact, the WannaCry ransomware responsible infected as many as 75,000 computers in around 150 countries worldwide, with many calling it the biggest attack of its kind in history. A number of big businesses were also affected, including Telefonica, FedEx, Deutsche Bahn, Santander and KPMG.
So, what was behind it?
The root of the problem was a vulnerability in Microsoft software, first identified by the US National Security Agency (NSA) as a potential weapon of cyber warfare. In Microsoft’s defence, the company did release a patch for the vulnerability back in March, although it’s clear that many people failed to install it in time, leaving their systems vulnerable.
Then disastrously, a leak from the NSA meant details of the vulnerability ended up in the hands of hacker group, The Shadow Brokers, which dumped it on the public web for anyone to find. That led to the development of the WannaCry malware to exploit the issue, which caused so many problems last Friday.
Heads in the sand
The attack is a perfect example of the ‘head in the sand’ approach to cyber security taken by too many organisations. So-called ‘cyber-hygiene’ requires constant vigilance to the latest threats and there is a tendency for companies to ignore or neglect this fact until it’s too late. Cyber criminals and hackers never sleep, which means that your defences can’t either.
And while it’s organisations such as the NHS that hit the headlines, smaller businesses are equally at risk, particularly in blanket attacks such as this one. The latest Government cyber security breaches survey found that 45% of small businesses identified a cyber security breach or attack in the last year, costing an average of £1,380 for each breach. Without the back-up funds of a larger organisation, just one incident can hit a small business hard, but there are lots of ways it can be avoided.
To minimise the chances of being one of those affected, there are some important steps you can take:
First things first, a cyber risk assessment helps you understand the areas you need to protect, those where you could be most vulnerable and potential worst case scenarios. Start by auditing the data and information you hold that is most valuable. This will give you a good idea of where you need protection. Then look at how you store this data, who has access to it and how it’s protected by technology and processes, to understand where you could be most at risk.
If you’re not confident carrying out a risk assessment, then you might want to consider hiring an expert to do this for you.
Implementing strong network and workstation controls
Once you’ve identified your most valuable data assets, cover all the bases to secure it with the appropriate technology, including firewalls, anti-malware and antivirus software on all your computers and devices.
The following controls will make a big difference to your cyber security:
- Install security software on your company website and keep all its scripts up to date
- Implement a properly configured firewall through a dedicated resource
- Apply current and up-to-date patches on everything as soon as they become available, including the gadgets owned by employees
- Use secure cloud-based applications
- Implement solutions like VPN (virtual private network) so remote access is secure
- Implement a disaster recovery site that can take over in case your site is taken down by hackers
- Have a static landing page prepared to keep customers informed if your order page goes offline
- Access controls so employees only have access to information they need
If you don’t have any dedicated IT expertise in house, it’s probably best to consult an expert on the best approach for your needs.
Communication and training
The right technology is hugely important, but getting your people and processes up to speed perhaps even more so. Yet this is an area that is often overlooked. The Government cyber security breaches survey found that only 25 per cent of small businesses have given staff relevant training in the last 12 months — which means they could be your weakest link.
Your communication should begin with a cyber security policy, outlining key processes and procedures, what staff should and shouldn’t do, and the potential repercussions if the guidelines aren’t followed. The exact issues covered will vary from business to business but potential topics should include:
- Guidance on handling sensitive information
- Stipulations regarding password security
- A policy covering remote working and the use of personal devices
- How to look out for, report and respond to a security issue — including how to identify phishing emails
- Required checks on suppliers to ensure they are complying with security best practice
You should ensure the cyber policy is easily accessible to all employees, is updated regularly, and that staff are also given training around the issues at least every 12 months.
Build a security-centric mobile culture
It’s easy to overlook the fact that sensitive information accompanies your employees inside and outside the office premises, and that it needs to be protected at all times. Here’s some mandatory rules that will keep your data safe when your employees are on the move:
- Make employees use complex passwords — see 5 password tips for better SME security
- Introduce passwords that automatically expire and need to be renewed
- Block access to certain websites that pose risks to the security of your data.
- Encrypt all smartphones used for business purposes.
Most small businesses aren’t aware of the amount of information that their vendors have access to and this can also pose a serious security risk. Checking a vendor’s security controls should form part of the vetting and onboarding process. Things to look for include:
- How your data will be stored
- Access controls for the vendor’s employees
- Frequency of vendor risk assessment
- Compliance with data protection regulations
An insider threat can be a current or former employee, service provider, supplier, contractor, or anybody else that may be able to get their hands on your confidential data. These individuals are likely to have access to sensitive information, often with the responsibility to protect it, leading to severe consequences if it turns out they can’t be trusted. We’ve outlined some simple steps your business can take to prevent employee misuse of data here.
Back up your systems regularly
It’s so simple, yet so important, and too many businesses neglect to stay on top of backing up. If you’re hit by a cyber-attack, your systems and data are likely to be inaccessible at least for a time, or possibly even permanently destroyed. A backup gives you a lifeline so you can resume normal operations as quickly as possible after an incident. Best practice is to back up at the end of every day and keep the copy in a separate location, in case of a fire, flood or theft at your premises.
Periodic Assessment of Vulnerabilities
Finally, periodic testing should be carried out to identify impending security risks to your network. In this scenario, third parties can be hired to do the stress testing to identify any loopholes in the system, so they can be plugged before it’s too late.
What can you do if you’re hit?
Even with the best technology and security measures, sometimes you’re powerless to stop a breach. This is where an effective response plan comes in, enabling you to control the situation as quickly as possible, with minimum impact to you and your customers. For example, in the case of the NHS, hospitals and trusts were generally praised for their communication with the public, ensuring people were kept informed of what was going on.
Yet, despite its importance, only 30 per cent of organisations have a breach response plan in place, potentially leaving them floundering in the event of an attack.
An effective response plan should include the following elements:
- Your legal response: You need to outline how you’ll handle the legal aspects of the breach, for example informing the Information Commissioner’s Office (ICO) of the issue and defending your business against any claims of negligence.
- Handling media queries: Your business could be the focus of media attention following a breach, so be ready to handle all external communications about what happened and how you’re handling it. You are likely to need professional PR expertise to do this effectively.
- Finding out what happened: You’ll also need to have IT forensics experts on hand to find out what caused the breach, with a view to rectifying the problem quickly and ensure it doesn’t happen again.
- Informing customers: Depending on your customer-base and the scale of the breach, you could have a lot of unpleasant phone calls to make! You’ll need to be ready with a way to handle this communication efficiently.
The role of cyber insurance
If the worst does happen and you’re facing the repercussions of a data breach, your final line of defence is a watertight and specialist cyber insurance policy. Covering you for breach of data protection laws (where insurable by law) and your liability for handling data, it can also provide cover for extortion, system rectification costs, plus PR expenses and financial loss due to system downtime.
Some key aspects to look out for include:
- The Information Commissioner’s Office (ICO) can give fines of up to £500,000 for breach of the Data Protection Act. The Digital Risks cyber insurance policy will cover notification costs, legal fees defending regulatory action, and in some cases the penalty itself (where this can legally be insured).
- Cover for your out-of-pocket expenses, which could include system repair costs, lost income while the system is down, or even ransom payments to hackers.
- Cover for your website, blogs and social media, for copyright or trademark infringement, or defamation etc.
With cyber-crime and data leaks on the rise, and growing in scale, it’s not a case of ‘if’ your business will be hit, but more a case of ‘when’. Getting up to speed on your potential vulnerabilities and how best to protect your systems, will put you into “prepared mode” and keep your business out of the cyber spotlight.
For more cyber security and insurance advice, check out our blog. Drop us a line at firstname.lastname@example.org or give us a call on 0333 772 0759 to discuss how cyber liability cover can help.