10 lessons from the report on the NHS WannaCry cyber attack
This week Charlie reflects on the newly released WannaCry report and outlines key lessons organisations can take from the cyber attack.
The National Audit Office investigation into the “WannaCry cyber attack and the NHS” was published this week, so I thought I would share 10 lessons from the report which are relevant to all organisations.
1. In the report, it stated that there was no correlation between the rating of the organisation and those impacted by the cyber incident. This suggests it is not always down to the quality of the organisation as a whole, but how well the IT department is run. Are you sure that your IT department has the skills, money, expertise, knowledge and leadership to ensure that your organisation is not vulnerable to an attack?
2. Alerts were made by NHS Digital to patch critical systems, but those infected ignored the warnings and didn’t update their systems. Unless your systems are patched and up-to-date, you are vulnerable to an attack. This is basic IT management!
3. 44 organisations reported disruptions, although they were not affected by WannaCry, because they shut down emails and other systems as a precaution. In this incident, more organisations were impacted by closing down and isolating their systems, compared to those actually affected by the virus. Have your senior management teams rehearsed the decision process for when they would isolate their organisation’s systems? Do they understand how long it takes and the implications for doing so?
4. Even if the attack didn’t have a direct impact on people’s lives, the indirect impacts were still huge. It was estimated in the report that 19,494 operations were cancelled. Although cyber attacks may not have a direct effect on the organisation, they can still have a massive indirect effect. The impact can be in delivery of service to customers, loss of customer confidence, market share, and reputation, plus the cost in time and possibly external support to fix the breach.
5. “Plans had not been tested at a local level and it was not clear who should lead the response”. Exercising your cyber plan is essential to ensure that everyone is aware of their roles and responsibilities, where they can report the incident and where help and information can be found. This has to go beyond the IT response and needs to include the Senior Manager strategic response to the incident.
6. The response was made more difficult, as the main communications channel was shut down or affected by the virus. You need to have an alternative means of communications if your IT systems are isolated or the incident shuts them down. Deciding under what circumstances systems should be shut down or isolated needs to be documented and practiced during an exercise. Use of alternative communication channels needs to be practiced during exercises as well.
7. The report stated that there was no clarity about who the incident should be reported to. Does your organisation understand who they need to report the incident to, both as part of a statutory responsibility or as good practice? Do they understand under what circumstances they need to report the incident, and are they aware of the reporting needed if they hold data outside their home country?
8. "NHS Digital told us that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves”. In many cases the mitigation is very simple, are you doing the basics to protect your organisation?
9. The cost of the incident was not calculated but included:
a. Cost of cancelled appointments
b. Staff overtime
c. Additional IT support
d. Cost of IT consultants
e. Cost of rolling back and restoring systems
f. Cost of re-entering data manually
Costs can be huge in response to a major breach and, according to the Financial Times, the cost of the Moller-Maersk cyber incident was $300m.
10. NHS England had identified 1,222 pieces of equipment which had been affected by the ransomware; this was 1% of all their equipment. Some of them had Windows XP embedded within the piece of equipment as their operating system. As the internet of things becomes wider, are you aware of operation systems used by equipment and how to patch and update the software?