The WannaCry ransomware attack occurred last weekend and caused major disruption to the NHS, and subsequently, many other organisations. Charlie provides his thoughts and introduces our new Managing and Preparing for Cyber Incidents training course.
The waters are still again and all appears to be quiet. A few are still busy recovering from the attack, but just because all seems still, as watchers of the film Jaws will know, somewhere under that still water is a massive shark biding its time before it strikes again. The WannaCry ransomware attack will not be the last of this type of attack.
I thought in response to last weekend’s cyber, not shark attack, I would share a few thoughts that I have not seen elsewhere:
- When the NHS in the UK was attacked they had all the resources of government to call upon to help them out of the situation. The issue I see is if there is a widespread attack, as this one was, where does your organisation go to get expert help? When lots of organisations are attacked simultaneously it may be extremely difficult to find a company to help you. I suggest that as a minimum you identify local providers who could help you respond and have a conversation with them to understand what services they offer. You should also consider cyber insurance which often comes with a response element. Imagine all your systems are locked, your own IT people need help and you are desperately calling down your google supplied list of cyber companies only to find they might have some availability in a couple of months.
- Often when we develop plans for clients, we have not created the plans relating to the organisation losing their IT. As technology moves on this becomes more unlikely. I think, as the NHS has found, you should consider a manual workaround so that you can continue serving customers without IT. This is reminder to us that we need to keep asking customers about their manual workarounds, and how they would operate without connection to their systems.
- I listened to a good webinar this week as part of BCAW, by Roberta Ramsden-Knowles and Charlotte Thompson, and they made a couple of good points. They talked about the decision to disconnect your system from the outside world in response to a cyber attack. If you took this decision, do your technical people know how to do it and how long it takes? If you think this is a possible strategy then you should practice it. They also made the point that if you disconnect your systems, do you have the ability to respond to an incident? Is some of the key information you need to respond in the cloud so you can access it? Will cutting off your system take down your two key communication systems, email and VOIP telephones?
- Many IT systems are live-live, so that if there is an issue with one data centre they can switch over to another data centre and the ransomware can’t get them both simultaneously. Most people have their systems backed up as well, but they probably then have a longer RPO, perhaps 24 hours, as they feel it is unlikely that an incident will affect both centres. Perhaps you should speak to your IT people on this so that you understand it.
- My last point is that there is always a pay off between risk and cost. Do you invest in your IT systems or do you hire two new nurses? This is a balancing act which usually falls on top management. Perhaps, they didn’t get this balance right given that so many NHS organisations were hit.
Back to hungry sharks, if you stay out of the water you can’t be eaten. In a cyber attack, even if you cut yourself off from the web, the infrastructure around you can still be attacked and taken down. Unless you want to live in a cave, cyber attacks are a problem for all of us.
In response to this attack, we have developed a course entitled Managing and Preparing for Cyber Incidents. If you have an interest in the subject then I hope to see you on the training. The first course will take place Tuesday 11th July in London.