The recent ransomware attack on the NHS and over 30,000 companies globally has brought cybercrime to the top of the risk and news agenda.
Patrick Keady, CFIRM, IRM Board member and Chair of the IRM Health and Care Sector Interest Group says:
“The NHS is unusual because it has so few people with the skills to fundamentally understand risk across the enterprise. While the NHS in England employs 1,300,000 workers, it has just 27 partially/fully trained and experienced enterprise risk managers.
At the same time, it is reassuring that most of the NHS organisations affected by WannaDecryptor, say they have plans in place to react to the impact of the malware.
However, we have known for years that increasing amounts of IT software and hardware used in the NHS are simply out-of-date and no longer supported by their manufacturers. NHS bosses really do need to take major steps now, to prevent similar episodes and the accompanying disruption to patient services.”
Patrick Keady undertook some research into current risk registers of the 34 NHS Trusts and Clinical Commissioning Groups reported to have been affected by the cyber-attack.
He undertook a deep-dive of 8,500+ pages of Board papers at the 34 organisations affected. In his view, the 34 NHS Board papers are over-crowded with information – with one set of Board papers exceeding 400 pages.
His main findings from the 34 organisations were that:
- 10 organisations publish Risk Registers online.
- 13 publish Board Assurance Frameworks online (this requirement was introduced by New Labour circa 2004).
- Nine do not publish risk registers or board assurance frameworks online.
- Two Trust websites were off-line yesterday.
Patrick singled out Mid-Essex Hospital Services NHS Trust, the only Trust to mention Cyber-Security in their Board Assurance Framework. (Page 20, risk number 949).
“Risks in almost all of the 34 organisations affected on Friday, are generally ill-defined and do not relate to the organisations’ strategic objectives. Instead they tend to refer to operational programmes and targets will be achieved or not”.
Nicola Crawford, CFIRM, Chair of the IRM goes on to comment:
“This cyber-attack has affected more than just the health sector and has impacted on companies globally.
*A 2016 survey of IRM members showed that cyber risk and the insight into the changing nature of cyber and IT related risks, including data breach, hacking, theft of IP, cyber fraud and commercial sabotage was one of their most pressing concerns.
We live in an increasingly networked world, from personal banking to government infrastructure. Protecting those networks is no longer optional – the internet of things means enterprise wide risk management, including cyber security policy, has never been more important.
Cyber risk is now firmly at the top of the business agenda globally as high-profile breaches raise fears that hack attacks and other security failures could endanger the global economy. Ransomware and data breach can have catastrophic consequences including loss of life”.
Alexander Larsen, CFIRM, President of Baldwin Consulting and IRM expert on cyber said:
“Cyber risk has been a growing threat in the last few years. A recent report claimed that the risk in 2016 was four times higher than in 2015. 2017 was expected to be worse and this recent incident only highlights the frequency and severity of these attacks. The speed at which this virus has affected companies around the world shows the impact these hackers can have. Patient’s records may be at risk of being leaked, operations have had to be rescheduled, ultimately putting lives at risk.
Going forward we can only expect hackers to become more organised and well-funded, which, alongside advances in AI and technology, will lead to more sophistication in their attacks. Some organisations are already spending hundreds of millions of pounds on cyber security, whilst governments are spending billions in order to prevent these attacks, but experts warn that it is impossible to stop these attacks and that organisation’s should also be focusing on business continuity & recovery whilst also safeguarding their reputation which could be severely damaged if the incident is not managed correctly”.