It’s just over five months since the WannaCry ransomware hit, including 47 NHS Trusts in the UK, resulting in surgeries being cancelled and patients being turned away from A&E. Given the severity of the attack and the chaos it created globally, one would have thought it was the wake-up call that organisations needed to make the much-needed investment in security so that in the future, the impact of such a breach could be mitigated.
Reliance acsn played a key role as an ‘incident responder’ at one of the largest public sector health organisations on that fateful weekend in May. We received the call at 10 in the morning and by 1pm two engineers were at their office. Low on security resources, the Reliance acsn team was drafted in by the organisation to help limit the damage of the breach, plug the holes in security and get the system up and running safely, in the quickest possible time.
The Reliance acsn team supported the wiping of nearly 7000 desktops and laptops, and rebooting the machines so that the organisation could resume normal operation. The team reviewed the organisation’s firewalls set up to determine how the malicious ransomware infiltrated the network – alongside other strategic and best practice-driven project management activities to ensure that the security settings have been updated.
While IT teams typically ‘carry the can’ in such situations, the brutal reality is that many organisations simply aren’t willing to invest in the manpower, skills and security measures needed to enable the IT department to secure their defences – even for security fundamentals such as regular and systematic management of firewalls. These significantly under-resourced departments in public sector healthcare organisations are already struggling to merely keep the IT running 24×7. They don’t have the bandwidth to undertake activities like scheduling downtime for upgrades or drawing up plans for incident response, never mind executing on the plan in a breach situation.
Unfortunately, despite the devastation that WannaCry caused, the lax attitude of public sector towards security hasn’t changed. Post a short-term fix immediately after the incident, bosses in most organisations have reverted to ‘type’, as they say. Security funding remains at the bottom of their priority list and there is hardly any strategic incident response planning being undertaken for the future.
One has to wonder, what will it take for these organisations to make security a priority? For example, a peer working in a public sector health organisation recently commented, “Until an IT issue directly contributes to a casualty, security investment is unlikely to change.” It is truly daunting.
If you are looking for guidance on security awareness for your organisation, talk to us. We have extensive experience in this area, having helped numerous organisations put in mature, well-managed, practical and proven measures to this end.