In the last few days, the NHS succumbed to a cyber attack, highlighting the vulnerabilities of all organisations.
By Mark Hope, StoneHouse Logic.
The security breach was a “ransomware” attack, code which locked infected computers and denied access to crucial data until users paid a ransom of more than £200.
The attack affected users the world over, exploiting vulnerabilities in old software. The NHS was susceptible as it was running outdated an outdated version of Windows.
This highlights what IT experts have been saying for some time: all organisations must take cyber threats seriously.
At the most basic level businesses are advised to:
- Make sure your security software patches are up to date
- Make sure that you are running proper anti-virus software
- Back up your data somewhere else, because you can’t be held to ransom if you’ve got the data somewhere else
We would also recommend:
- Review and protect access to your network, particularly from the internet. Configuration of internet routers and firewalls needs to be reviewed regularly and any changes strictly controlled.
- Remove unnecessary software. Only use trusted sources of software and control what software can be installed by users
- Audit which users can access which software, files and data. Make it the minimum possible level for them to work and accept some inconvenience when they need access to new areas
- Control use of removable storage like pen drives, use encrypted drives only and consider blocking their use to prevent injection of malware and removal of data
- Provide staff awareness training of the nature of attacks, how to prevent them and also what to do if an attack happens
In practice, a multi-layered approach is required to minimise the risk of attack. But it’s also important to understand that an attack could happen, and to plan to minimise impact of an attack and to have the ability to recover quickly, with minimal disruption and loss of data.
Sadly one of the most vulnerable parts of your defence will be your staff, who will be targeted individually by fraudsters to defraud the company, or be tricked into clicking on links or giving permission to install software that attacks or monitors use of the systems. Staff training really can’t be ignored as part of the company’s defence and an acceptance that some impact of the way people work may be necessary to minimise threat.
The government’s Cyber Essentials scheme guides a business on these approaches, with free advice available, backed by certification if the organisation needs to demonstrate or be confident in a sound basic level of cyber security.
StoneHouse Logic now offers a specific service to ensure and certify clients to Cyber Essentials and help with both the certification process and importantly also provide the audit, changes and management of IT systems in the business to achieve and maintain this level of assurance.
For further information, see the UK government’s response is available from the National Cyber Security Centre here. Advice for home computer users, which you may wish to share with your employees, is available here. To report instances of cyber crime, or to access free, impartial advice, contact ActionFraud. And find out more about the Cyber Essentials scheme here.