The inevitable finally happened. Commentators and experts have been warning for some time that the NHS was vulnerable to a cyber-attack. And last Friday their fears came true, with as many as 40 hospitals and 24 NHS trusts hit by a virulent ransomware, locking staff out of systems and potentially putting lives at risk.
But despite the well-known vulnerability of the NHS, this wasn't a targeted attack. In fact, the WannaCry ransomware was responsible for infecting over 200,000 computers in around 150 countries worldwide, with many calling it the biggest attack of its kind in history. A number of big businesses were also affected, including Telefonica, FedEx, Deutsche Bahn, Santander and KPMG.
The root of the problem was a vulnerability in Microsoft software, first identified by the US National Security Agency (NSA) as a potential weapon of cyber warfare. In Microsoft's defence, the company did release a patch for the vulnerability back in March, although it's clear that many people failed to install it in time, leaving their systems vulnerable.
Then disastrously, a leak from the NSA meant details of the vulnerability ended up in the hands of hacker group, The Shadow Brokers, which dumped it on the public web for anyone to find. That led to the development of the WannaCry malware to exploit the issue, which caused so many problems last Friday.
The attack is a perfect example of the 'head in the sand' approach to cyber security taken by too many organisations. So-called 'cyber-hygiene' requires constant vigilance to the latest threats and there is a tendency for companies to ignore or neglect this fact until it's too late. Cyber criminals and hackers never sleep, which means that your defences can't either.
And while it's organisations such as the NHS that hit the headlines, smaller businesses are equally at risk, particularly in blanket attacks such as this one. The latest Government cyber security breaches survey found that 45% of small businesses identified a cyber security breach or attack in the last year, costing an average of £1,380 for each breach. Without the back-up funds of a larger organisation, just one incident can hit a small business hard, but there are lots of ways it can be avoided.
To minimise the chances of being one of those affected, there are some important steps you can take:
First things first, a cyber risk assessment helps you understand the areas you need to protect, those where you could be most vulnerable and potential worst case scenarios. Start by auditing the data and information you hold that is most valuable. This will give you a good idea of where you need protection. Then look at how you store this data, who has access to it and how it's protected by technology and processes, to understand where you could be most at risk.
If you're not confident carrying out a risk assessment, then you might want to consider hiring an expert to do this for you.
Once you've identified your most valuable data assets, cover all the bases to secure it with the appropriate technology, including firewalls, anti-malware and antivirus software on all your computers and devices.
The following controls will make a big difference to your cyber security:
If you don't have any dedicated IT expertise in house, it's probably best to consult an expert on the best approach for your needs.
Communication and training
The right technology is hugely important, but getting your people and processes up to speed perhaps even more so. Yet this is an area that is often overlooked. The Government cyber security breaches survey found that only 25 per cent of small businesses have given staff relevant training in the last 12 months - which means they could be your weakest link.
Your communication should begin with a cyber security policy, outlining key processes and procedures, what staff should and shouldn't do, and the potential repercussions if the guidelines aren't followed. The exact issues covered will vary from business to business but potential topics should include:
You should ensure the cyber policy is easily accessible to all employees, is updated regularly, and that staff are also given training around the issues at least every 12 months.
Build a security-centric mobile culture
It's easy to overlook the fact that sensitive information accompanies your employees inside and outside the office premises, and that it needs to be protected at all times. Here's some mandatory rules that will keep your data safe when your employees are on the move:
Most small businesses aren't aware of the amount of information that their vendors have access to and this can also pose a serious security risk. Checking a vendor's security controls should form part of the vetting and onboarding process. Things to look for include:
An insider threat can be a current or former employee, service provider, supplier, contractor, or anybody else that may be able to get their hands on your confidential data. These individuals are likely to have access to sensitive information, often with the responsibility to protect it, leading to severe consequences if it turns out they can't be trusted. We've outlined some simple steps your business can take to prevent employee misuse of data here.
Back up your systems regularly
It's so simple, yet so important, and too many businesses neglect to stay on top of backing up. If you're hit by a cyber-attack, your systems and data are likely to be inaccessible at least for a time, or possibly even permanently destroyed. A backup gives you a lifeline so you can resume normal operations as quickly as possible after an incident. Best practice is to back up at the end of every day and keep the copy in a separate location, in case of a fire, flood or theft at your premises.
Periodic assessment of vulnerabilities
Finally, periodic testing should be carried out to identify impending security risks to your network. In this scenario, third parties can be hired to do the stress testing to identify any loopholes in the system, so they can be plugged before it's too late.
Even with the best technology and security measures, sometimes you're powerless to stop a breach. This is where an effective response plan comes in, enabling you to control the situation as quickly as possible, with minimum impact to you and your customers. For example, in the case of the NHS, hospitals and trusts were generally praised for their communication with the public, ensuring people were kept informed of what was going on.
Yet, despite its importance, only 30 per cent of organisations have a breach response plan in place, potentially leaving them floundering in the event of an attack.
An effective response plan should include the following elements:
If the worst does happen and you're facing the repercussions of a data breach, your final line of defence is a watertight and specialist cyber insurance policy. Covering you for breach of data protection laws (where insurable by law) and your liability for handling data, it can also provide cover for extortion, system rectification costs, plus PR expenses and financial loss due to system downtime.
Some key aspects to look out for include:
With cyber-crime and data leaks on the rise, and growing in scale, it's not a case of 'if' your business will be hit, but more a case of 'when'. Getting up to speed on your potential vulnerabilities and how best to protect your systems, will put you into "prepared mode" and keep your business out of the cyber spotlight.
For more information about cyber security insurance, check out our blog. Drop us a line at firstname.lastname@example.org or give us a call on 0333 772 0759 to discuss how cyber liability cover can help.
Food for thought
It only takes 2 minutes to get a quote.