Lessons learnt from the NHS cyber attack

Earlier this month, a cyberattack hit NHS systems, meaning people seeking medical help via the NHS 111 were warned there could be delays. The outage affected services across the system including patient referrals, ambulance dispatch and emergency prescriptions and ministers were swift to announce they were coordinating a ‘resilience’ response to minimize the impact.

What this confirms it that no organisation, however big or small is protected from the ever- present threat of cyber-crime. Although many will employ a team of cyber security professionals and implement sophisticated protection programmes, the hackers are always trying to stay one step ahead. And regardless of how water-tight your systems are, this is all irrelevant if the third parties you deal with are not doing the same. So how can Chief Security Officers ensure they have introduced the necessary processes to ensure maximum protection?

The first priority is around Vendor Due Diligence. For many big organisations there will be lengthy and complicated tender processes when appointing new partners from agency staff to office furniture. But what about those in the technology space? When retaining the services of a partner to supply hard or software or to operate on your behalf using customer or client data, it is essential that these vendors are applying the same or better security controls to the data you ask them to process on your behalf.

Vendor due diligence applies rigorous analysis to objectively assess the positioning and security capabilities of a third party. It is essential that a company undertakes Vendor Due Diligence when onboarding a new partner and then continue to do so at least annually thereafter. That being said, even with an exemplary Vendor Due Diligence report, incidents may occur along the supply chain that will expose your operations. You therefore need to ensure operational resilience is in place to allow the organisation to continue to function when a particular service provider becomes unavailable.

There are a number of policies you can introduce to ensure a business is adequately prepared in the event of an attack, including:
 A Business Continuity Plan must be put in place so that operations can continue, if not as normal, but to an acceptable standard.

 Incident Response Plan – this should be a comprehensive document that all those in a position of responsibility are familiar with, and of its location. It should include all the key contacts that need to be involved, not just from IT but potentially PR, HR and legal, should a cyber-attack have wider ramifications. It must include escalation criteria so there is no grey area when it comes to decision-making. Every potential incident should be considered and a plan of action laid out. It must be regularly updated, as the threat scenario evolves over time.

 Incident Tabletop Exercises are a security incident preparedness exercise that takes key stakeholders through the process of dealing with a simulated incident scenario.

 Operation Resilience – next year, in the EU, the Digital Operational Resilience Act (DORA) is being introduced, which requires organisations to prioritise secure technologies and resilience to ensure the integrity of financial institutions. This is just one example of governments proactively responding to the increased threat of cyberattacks in the form of regulation. It should not just be about compliance for the sake of it, however, organisations are being short-sighted if they are only doing this as a tickbox exercise or in response to the hand of the law. Being able to deliver on customer promises and protecting them from any breach is the role of a responsible business that will earn the trust of their customers and therefore set themselves apart from competitors. By introducing a Business Continuity Plan and putting in place an Incident Response Plan and testing with TableTop Exercises a CSO is on the right path to resilience. But there are also a number of practical ‘best practice’ steps that can be reviewed immediately:

 Ensure existing data flows and processing/ services are resilient to an outage and that there are alternative procedures in place should an incident occur (Business Impact Assessments may help here)

 Perform Vulnerability assessments on a frequent basis. It’s important to acknowledge that there is still a high risk of Ransomware, which preys on
vulnerabilities, regardless of all the steps you put in place, so this is crucial.

 Perform Risk Assessments on the business at least annually There is growing evidence that cyber attackers are only becoming more brazen and better
at what they do. A recent government survey found that in the last 12 months, 39% of UK businesses identified a cyber-attack.* Yet only 34 per cent of organisations have assessed their risk assessment and possibilities to exposure.** When you consider that many organisations will be utilising third party software providers to run myriad processes withintheir business – from remote working platforms to Customer Relationship Management tools, this risk becomes startlingly extreme. Unfortunately, the criminals will keep evolving their practices to keep up with our cybersecurity solutions, so it is essential to regularly undertake these plans to ensure all your processes are robust, and that of all your partners.

*Simon Eyre is Managing Director and Head of Europe, leading Drawbridge’s engineering, product, and customer engagement teams across Europe. Simon brings more than 20 years of deep expertise in the financial services sector as well as IT governance, technology architecture, cybersecurity, and corporate strategy experience to Drawbridge. He most recently served as Director of Information Security at Edge Technology Group and was responsible for cybersecurity for both Edge and its clients. Previously he held multiple senior management roles at Eze Castle Integration, ultimately serving as Director of Service, where he oversaw all IT engineering, client relations and project management throughout London. Simon is a graduate of Rutgers and NJIT Universities with a degree in Electrical Engineering. He holds a CISSP certification.