Cyber-crime is on the rise, and given the growing use of technology and the growing volumes of data organisations and individual users face it is no surprise.
Recently, British Airways were struck by an outage that left not one but two data centres dormant for several days. The knock-on effect of this lasted days, left thousands of customers stranded at airports, unable to fly and unable to access baggage; the estimated cost to BA in compensation alone could be up to £150m. Whether BA’s explanation of the situation (human error) was sufficient or not, many will think or suspect that cyber-criminals could have been involved somehow whether through a ransomware attack, a hack or something else.
Cyber-crime clearly has damaging effects for those who fall victim, but how far does the problem spread and how damaging can it be?
Cyber-crime 2, cyber-security 0
It is difficult to talk about cyber-crime without looking at the cyber-security measures implemented. Furthermore, it is difficult to talk or read about cyber-security without coming across malware and in recent times more specifically WannaCry; WannaCry was a large-scale attack that combined multiple techniques to exploit vulnerable systems with devastating effect. Among the 300,000 or so organisations affected, across 150 countries, was the British National Health Service (NHS) which saw over 40 hospitals hit. The WannaCry attack struck on a Friday afternoon and left NHS hospitals in a state of frenzy as they battled to get back to operational capacity and resume, ambulance and A+E services in the regions affected.
With cyber-attacks able to cause such damage to networks and shut down services, the effects could be extremely damaging. 2 days before Christmas 2016, a region in the Ukraine found this out the hard-way when hackers remotely shut down part of the power grid, leaving almost a quarter of a million people with no power. The hack which gave the criminals access was the result of months of planning and involved a phishing scam of emails designed to look like they had come from friends and colleagues, to obtain passwords.
Besides the potential of reputational damage and the negative effects to consumers and customers, suffering from a cyber-crime should be a real warning to any organisation. Downtime and outages are going to cost money, as will recovering from them (by paying a ransom or otherwise). But if a network has been compromised once, it can be again and although no organisation can be 100% risk-free, measures should be taken to reduce the threat.
How BA and the NHS could have protected themselves?
Although these events are often unpredictable, companies and organisations of all sizes can implement more solutions and strategies to prepare for the chance of being hit by a targeted attack that causes data loss.
Best practice in any organisation should ensure there are processes, plans and procedures in place to deal with an outage or disaster, natural or otherwise. This plan, a business continuity plan (BCP), should be a well-documented set of steps to help identify and resolve issues in the quickest available time frame, minimising the fallout. Business continuity plans should consider the value of data and which systems are most vital to the businesses ability to get back to operational capacity.
It is likely, of course, that BA had a robust and tested DR and BCP, but this does not explain why it was not implemented correctly when it mattered most. BA’s explanation of the situation was lacking in detail but given the estimated cost, someone will be held accountable even if not publicly.
The NHS is a vast organisation that faces a unique set of challenges. As a publicly funded organisation, with budgets being cut year on year, there is an immense pressure to cut costs and to spend more efficiently – there is a world of difference in spending efficiently and buying cheaply though. Another challenge the NHS faces is the lack of centralisation; NHS practices are part of Clinical Commission Group’s (CCG’s) with each CCG responsible for an average of 226,000 people. With 211 CCG’s in the UK though that’s literally hundreds of targets within one organisation that hackers and cyber-criminals can exploit.
As damaging as WannaCry was, it could have been prevented. With up to date software and technology it is likely that the spread of the infection may have been less if it was able to infect systems at all. The other point that should be noted is that if secure, off-sitebackups were implemented and working correctly systems could have been recovered in a matter of hours.
How does this translate for SME and other organisations?
For SME’s and smaller organisations, the immediate threat to systems may be less, there are fewer systems for cyber-criminals to target and with a smaller estate, it is easier to implement the correct security procedures. However, if data is lost (to ransomware or any other threat) the effects could be more damaging. For smaller organisations having to pay a ransom, or even a fine for a data breach will be relatively higher.
Many SME’s will work with third-party service providers to look after their IT rather than employing someone in-house. It is important that third-parties are following best practices such as having a business continuity and disaster recovery plan, backing up all data and minimising the risk of data loss.
3-step guide to cyber security for you
As an individual with concerns over data security and your personal IT, or as a professional responsible for IT, cyber-security is something to be taken seriously. Although IT environments vary widely there are simple steps that can be taken to identify and reduce the risk you face.
The first step in any security or management related IT project should be to review what is currently in place. By reviewing what data (and data sources) are within your environment, as well as any previously identified weak points you can gain a quick understanding of how well prepared and protected you are against cyber-threats.
Cyber-threats are evolving at an astonishing rate and software and solutions providers can only do so much to keep protecting against them. However, in almost all software updates now there are important bug fixes and security patches that protect against the latest threats. Having the most up to date software is just one step in protecting against threats but it’s an important one.
The second area that will benefit from an update is internal documentation and procedures around data management and protection. Having solid policies on data management is likely to decrease the amount of data you have and add to the security of it, giving cyber-criminals less to target.
It goes without saying but it is important to protect your network/data and the way in which you do this will ultimately depend on what you are protecting and the budget and resources you have available to protect it with. Methods such as anti-virus, firewalls and data backup are just some of the ways this can be done.