Organisations struggling to improve their cyber security defences should take note of the recommendations proposed by a House of Commons Select Committee report into last year’s WannaCry ransomware epidemic. That’s according to Peter Groucutt, managing director of Databarracks.
Subsequent to the WannaCry ransomware attack, the House of Commons’ influential Public Accounts Committee issued a report outlining 22 clear and concise recommendations for the NHS to undertake in order to improve its cyber security practices. While it has recently been reported that the NHS is yet to implement a single one of those recommendations, Groucutt believes that other organisations can use the findings to improve their own cyber defences.
“The NHS’ failure to implement any of the recommendations provided by the Select Committee is indicative of wider struggles which still exist among organisations when it comes to good cyber security,” stated Groucutt. “Recently, the Government published findings from its Cyber Security Breaches Survey 2018. The data revealed that many organisations remain in the dark when it comes to finding trusted advice for improving cyber security. This was further emphasised by the fact that, from a sample of over 1,500 businesses, only 9% were aware of initiatives such as the Cyber Essentials Scheme. It’s imperative that firms take advantage of these free and easily-accessible resources to improve their cyber security posture.”
The Select Committee report into the WannaCry attack is an excellent source of information and advice for firms wanting to improve their cyber security defences. Groucutt has picked out several of the Committee’s key recommendations which firms can and should act upon.
“The report highlighted that the NHS wasn’t prepared for WannaCry and that there’s a long way to go before agreed, prioritised and costed plans for improving cyber security are put in place. For smaller businesses, however, this can often be a much easier exercise. When it comes to prioritising and costing your plan, this should include preventative measures and technologies such as anti-spam/anti-virus software, patching and software upgrades, user awareness training and a back-up and recovery plan that’s fit to protect against modern threats such as ransomware. If you’re unsure about your priorities then testing procedures carried out by an external third party can identify where weak spots within the business lie.”
Use of legacy software
Groucutt continued: “Arguably, one of the biggest concerns highlighted by the Select Committee was the NHS’ use of legacy software. As far back as April 2014, NHS Trusts had been warned to migrate from old software such as Windows XP. Yet at the time of WannaCry, 5% of the NHS’ IT estate was still using Windows XP. There were further warnings in 2016 and even in March and April last year, just before the attack. NHS Digital issued warnings to Trusts to secure their Windows operating systems. While it’s easy for organisations to become confused by the choice of security options available, it’s vital to not neglect the basics. This starts with reviewing and auditing existing IT infrastructures and updating software accordingly.”
In addition, Groucoutt stated: “Finally, the report detailed that communication during the attack was not co-ordinated, with no alternative communication methods in place after e-mail was switched off. This is a common issue faced by SMEs. The key, though, is to plan ahead. Emergency or mass communication plans don’t have to be complex, but do require thought and planning to make sure that an alternative method to communicate has been determined and alternative contact information provided.”
Groucutt concluded: “Many organisations don’t have the opportunity to undertake a complete review of their security practices. While the NHS has come under scrutiny for not making the necessary reforms needed to its cyber security practices, that’s not to say that others cannot do so. This is an incredibly detailed report from the Public Accounts Committee and, for those struggling with cyber security, much useful advice can be extracted and applied to their own businesses.”