Earlier this month, the NHS was hit by the largest cyber incident in its short digital history. Matthew Honeyman and Harry Evans look at what can be learned from the experience.

Earlier this month, the NHS was hit by the largest cyber incident in its short digital history. The incident led to significant disruption of services for several days, with networks and email shut down as a precaution to contain the spread to vulnerable PCs. Ambulances were diverted from some trusts struggling to cope without IT systems in their emergency departments.

In the days following the attack, many have been quick to point the finger: at managers, at the national bodies, and at government. Laying blame is easy, but the harder task is to learn from the errors so that we can reduce the likelihood and limit the damage of similar incidents in the future. So what lessons are there for the NHS and government?


Charity Commission urges trustees to be viligant

The Charity Commission, the independent regulator of charities in England and Wales, is issuing this alert to charities as regulatory advice under section 15(2) of the Charities Act 2011. Charities could be at risk and are urged to be vigilant.

Over 200,000 organisations, including the National Health Service (NHS), in 150 countries have been affected by a recent ransomware attack. The vulnerabilities exploited by the hackers are the same for charities as they are for individuals, public or private sector organisations.

The Charity Commission encourages all charities to follow protection advice recently issued by the City of London Police and National Cyber Security Centre (NCSC).

Full information


Charities urged to do more to protect themselves against cybercrime

The Cyber Security Breaches Survey 2017 reveals nearly seven in ten large organisations identified a breach or attack, with the average cost to large organisations of all breaches over the period being £20,000 and in some cases reaching millions. The survey also shows organisations holding electronic personal data on customers were much more likely to suffer cyber breaches than those that do not (51% compared to 37%).

The most common breaches or attacks were via fraudulent emails – for example coaxing staff into revealing passwords or financial information, or opening dangerous attachments – followed by viruses and malware, such as people impersonating the organisation online and ransomware.

Organisations also identified these common breaches as their single most disruptive breach, and the vmajority of them could have been prevented using the Government-backed, industry supported Cyber Essentials scheme, a source of expert guidance showing how to protect against these threats.

These new statistics show organisations across the UK are being targeted by cyber criminals every day and the scale and size of the threat is growing, which risks damaging profits and customer confidence.

The Government has committed to investing £1.9bn to protect the nation from cyber attacks to help make the UK the safest place to live and do business online.

Business also has a role to play to protect customer data. The government offers free advice, online training and Cyber Essentials and Cyber Aware schemes.

The survey also revealed:

Of the organisations which identified a breach or attack, almost a quarter had a temporary loss of files, a fifth had software or systems corrupted, one in ten lost access to third party systems they rely on, and one in ten had their website taken down or slowed.

Firms are increasingly concerned about data protection, with the need to protect customer data cited as the top reason for investing by half of all firms who spend money on cyber security measures.

Following a number of high profile cyber attacks, organisations are taking the threat seriously, with three quarters of all firms saying cyber security is a high priority for senior managers and directors; nine in ten organisations regularly update their software and malware protection; and two thirds of organisations invest money in cyber security measures.

Small organisations can also be hit particularly hard by attacks, with nearly one in five taking a day or more to recover from their most disruptive breach.

Areas where industry could do more to protect itself include around guidance on acceptably strong passwords (only seven in ten firms currently do this), formal policies on managing cyber security risk (only one third of firms), cyber security training (only one in five firms), and planning for an attack with a cyber security incident management plan (only one in ten firms).

All organisations which hold personal data will have to make sure they are compliant with the new General Data Protection Regulation (GDPR) legislation from May 2018. This will strengthen the right to data protection, which is a fundamental right, and allow individuals to have trust when they give their personal data.

The Cyber Breaches Survey is part of the Government’s five-year National Cyber Security Strategy to transform this country’s cyber security and to protect the UK online. As part of the strategy, the Government recently opened the new National Cyber Security Centre (NCSC), a part of GCHQ.

One of the key objectives of the NCSC is to increase the UK’s cyberspace resilience by working with and providing expert advice tailored to organisations and organisations in every sector of the UK economy and society.

Ciaran Martin, CEO of the National Cyber Security Centre, said: “The majority of successful cyber attacks are not that sophisticated but can cause serious commercial damage. By getting the basic defences right, organisations can protect their reputation, finances and operating capabilities.

“Cyber Essentials, technical advice on CiSP and regularly updated guidance on the NCSC website offers companies, big and small, simple steps that can significantly reduce the risk of a successful attack.”