“Organisations struggling with cyber security should learn from NHS guidance” urges Databarracks

Organisations struggling to improve their cyber security defences should take note of the recommendations proposed by a House of Commons Select Committee report into last year’s WannaCry ransomware epidemic. That’s according to Peter Groucutt, managing director of Databarracks.

Subsequent to the WannaCry ransomware attack, the House of Commons’ influential Public Accounts Committee issued a report outlining 22 clear and concise recommendations for the NHS to undertake in order to improve its cyber security practices. While it has recently been reported that the NHS is yet to implement a single one of those recommendations, Groucutt believes that other organisations can use the findings to improve their own cyber defences.

“The NHS’ failure to implement any of the recommendations provided by the Select Committee is indicative of wider struggles which still exist among organisations when it comes to good cyber security,” stated Groucutt. “Recently, the Government published findings from its Cyber Security Breaches Survey 2018. The data revealed that many organisations remain in the dark when it comes to finding trusted advice for improving cyber security. This was further emphasised by the fact that, from a sample of over 1,500 businesses, only 9% were aware of initiatives such as the Cyber Essentials Scheme. It’s imperative that firms take advantage of these free and easily-accessible resources to improve their cyber security posture.”

The Select Committee report into the WannaCry attack is an excellent source of information and advice for firms wanting to improve their cyber security defences. Groucutt has picked out several of the Committee’s key recommendations which firms can and should act upon.

“The report highlighted that the NHS wasn’t prepared for WannaCry and that there’s a long way to go before agreed, prioritised and costed plans for improving cyber security are put in place. For smaller businesses, however, this can often be a much easier exercise. When it comes to prioritising and costing your plan, this should include preventative measures and technologies such as anti-spam/anti-virus software, patching and software upgrades, user awareness training and a back-up and recovery plan that’s fit to protect against modern threats such as ransomware. If you’re unsure about your priorities then testing procedures carried out by an external third party can identify where weak spots within the business lie.”

Use of legacy software

Groucutt continued: “Arguably, one of the biggest concerns highlighted by the Select Committee was the NHS’ use of legacy software. As far back as April 2014, NHS Trusts had been warned to migrate from old software such as Windows XP. Yet at the time of WannaCry, 5% of the NHS’ IT estate was still using Windows XP. There were further warnings in 2016 and even in March and April last year, just before the attack. NHS Digital issued warnings to Trusts to secure their Windows operating systems. While it’s easy for organisations to become confused by the choice of security options available, it’s vital to not neglect the basics. This starts with reviewing and auditing existing IT infrastructures and updating software accordingly.”

In addition, Groucoutt stated: “Finally, the report detailed that communication during the attack was not co-ordinated, with no alternative communication methods in place after e-mail was switched off. This is a common issue faced by SMEs. The key, though, is to plan ahead. Emergency or mass communication plans don’t have to be complex, but do require thought and planning to make sure that an alternative method to communicate has been determined and alternative contact information provided.”

Groucutt concluded: “Many organisations don’t have the opportunity to undertake a complete review of their security practices. While the NHS has come under scrutiny for not making the necessary reforms needed to its cyber security practices, that’s not to say that others cannot do so. This is an incredibly detailed report from the Public Accounts Committee and, for those struggling with cyber security, much useful advice can be extracted and applied to their own businesses.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts