Comment / Constant vigilance

Do you remember what you were doing on Friday 12 May 2017? Well, for many it was the start of what many had feared, a large-scale cyber attack affecting the NHS. As the WannaCry attack became more prevalent, I recall being asked what we were doing to support our clients. The truth was that those who had worked with us on improving their preparedness were already ready, and had implemented their response plans.

Fast forward to 2022 and the remote working era of the Covid pandemic. With the rapid deployment of laptops, remote working, video calls and ‘you’re on mute’, it’s easy to lose sight of how our exposure to cyber threats has increased. It is a perfect storm. Remote workers (including overseas), unfamiliar technology, and challenges accessing IT support.

From an IT management perspective, it seems we’ve become apathetic to the number of attacks as they are now so routinely experienced. The National Cyber Security Centre (NCSC) reported 777 cyber incidents in 2021, with a dramatic increase in scale and sophistication. Rather than scrutinise these attacks, it is more useful to consider the types of attack. Ransomware remains a common theme. However, new attacks include an initial theft of data, followed by an encrypting malware attack and resultant demand for payment or the stolen data will be leaked.

Several attacks also utilised common IT tools (such as the IT management tool, Solar Winds) to inflict large-scale disruption. There has also been a heightened level of attacks against systems of national importance or infrastructure (such as the Colonial Pipeline attack in the USA). And of course, any organisation working on Covid research or response should be particularly cautious as this remains a key priority for attackers.

Can we prevent every attack? Probably not. But there are lots of things that can be done to reduce the risks. TIAA recently undertook a benchmarking review of cyber security maturity, which highlighted that, four years on from WannaCry, the healthcare sector still has several gaps.

While we recognise the work done so far, more maturity is required to move from a reactionary footing to one that is more proactive and based on effective monitoring, learning lessons, and implementing improvements.

The review suggests a number of key priorities NHS IT, finance managers and other colleagues should keep in mind:

• Know what data you have and where; you don’t want to be doing this in the heat of an attack!
• Implement data exfiltration (data theft) protection.
• Ensure an IT incident management procedure is up to date and follows NCSC good practice (including testing it)
• Check IT disaster recovery is aligned to the organisation’s priorities and business continuity requirements, and back up testing has been undertaken.
• Deploy multi-factor authentication for all accounts, to prevent user accounts from being hijacked. At the very minimum, protect all high privilege accounts.
• Move to a proactive security posture, with appropriate tools (such as machine learning and behaviour analysis) to spot threats.
• Keep up board level scrutiny of cyber risks, and improvement plans.
• Don’t rely on human behaviour and training to prevent attacks. Mistakes happen.
• Treat all connected parties as a potential route for an attack.

TIAA is a business assurance services provider