Cyber security is no longer just a matter of protecting data, but also preventing dangerous attacks, which could cost money and or potentially put lives at risk. The WannaCry ransomware attack affected more than 300,000 computers globally, and heavily disrupted the operations of many major companies and institutions from a variety of sectors.
However, one of the worst affected areas was the public sector – specifically the NHS. The attack was so severe that hospitals and doctors’ surgeries from at least 16 health service organisations had to turn away patients and cancel appointments, seriously affecting patients’ wellbeing. The fact that the NHS bore the brunt of the ransomware attack shines a light on the vulnerabilities of the public sector.
The threat of a breach cannot be taken lightly, and the need to bolster cyber defences is imperative. The Department for Digital, Culture, Media and Sport (DCMS) recently warned that ‘essential services’ organisations could face fines of up to £17m or 4% of global turnover – separate to any fines from GDPR – if they fail to protect themselves from cyber-attacks.
This further reinforces the need for organisations to improve their cybersecurity. The impact of cyber attacks has spurred the Government to act and bolster the sector’s cyber security systems with a £21m investment, but the right steps must be taken to prevent data breaches altogether.
Criticisms of the NHS and the wider public sector have varied from not replacing old computer systems to not investing in protection from new threats. In the wake of WannaCry, the NHS has attempted to address this in signing a partnership between its digital arm and Microsoft, which will include updates and patches for all computers still using Windows XP.
While updating infrastructure will help, more needs to be done to keep data truly safe. Updates and patches are not enough to cover the wide range of factors that cause breaches. One extremely important aspect of cybersecurity is training. If public sector organisations want to prevent attacks like ransomware, which are mostly caused by phishing, they need to ensure that staff have basic ‘cyber-hygiene’.
This would mean knowing the basics of how to prevent a breach, how to spot potential attacks and taking responsibility for how they conduct themselves around data whether inside or outside of work, as well as understanding the implications of their actions on the organisation.
Despite numerous attacks on firms, this is something that is still neglected. A recent survey of the FTSE 350, by the Government, showed that a shocking 68% of board members had not been trained to deal with cybersecurity incidents.
Public sector firms are no exception. The consequences of staff not being cyber-literate is a leading cause of breaches in security, with recent research from CompTIA finding that 60% of UK businesses blame human error as a major contributor to security breaches. General carelessness and staff failing to follow policies are the primary contributors, which suggests the lack of knowledge and awareness amongst employees to protect data is a major concern across the board.
The NHS therefore needs to expand its cybersecurity practices far beyond simple software updates and patches. It needs to train staff to ensure they can remain secure and avoid leaving data exposed. Organisations must ensure they have all the information to teach staff to stay vigilant against threats. Awareness and knowledge are the best tools to guard against malicious attacks.
It is also vital that organisations hire certified IT and security staff to help regulate these processes. The value of certified staff is clear to see, due to their up-to-date and versatile knowledge of systems, current and emerging technologies. The fact that a CompTIA report reveals that 89% of organisations believed that IT-certified individuals were more efficient than non-IT-certified individuals in similar job roles is a testament to their worth to any organisation.
The need for cyber security training must involve the entire IT team. It starts with the help desk and technical support personnel, the first line of defence against cyber threats. It extends to the cybersecurity analyst, who uses data analytics to identify potential risks and vulnerabilities so that resources can be allocated where they are most needed before an intrusion happens.
While many organisations in the public sector are going in the right direction, more needs to be done to tackle cyber attacks and prevent breaches. Patching the network is not enough. The NHS needs to set an example by making sure that staff are cyber security trained and that IT staff are certified to demonstrate their capabilities. It is imperative that the public sector improves its cybersecurity to prevent attacks like WannaCry ever happening again.
Sourced by Graham Hunter, VP of Europe and Middle East, CompTIA