International professional services network BDO have issued a statement prompting companies to raise their game on cybersecurity in the wake of May’s worldwide ransomware attacks. The WannaCry hack was an unprecedented globally coordinated cyberattack which hit 230,000 computers in over 150 countries, including the network used by the UK’s National Health Service.
Boards have to lift their organisations to the appropriate level of cyber resilience according to the advisory firm BDO. Speaking in a release in mid-May, the company stated the need to go above and beyond employee behavioural change programmes and IT departments’ technical measures.
The global WannaCry attack, which threatened to withhold files unless computer users paid the perpetrators, originated in poorly protected workstations, showing that training employees is necessary but no longer sufficient. However, according to the consulting firm, cyber threats are more potent than most executive boards recognise, with the release claiming companies do invest in security technology - but discover all too soon that the technology is being persistently undermined by different attack methods.
BDO also warned that traditional information security methods are no longer enough to keep cybercriminals at bay – suggesting that the severity, nature and extent of the threat had become so great that it should be addressed at executive board level, where a strategic cyber threat model can be agreed that could be based on a defence doctrine taking traditional ‘protect’ models one step further. The firm’s cautionary suggestions followed days after a six-point plan issued by Big Four consulting group EY, who recommended oraganisations should draw up and continuously re-evaluate an interdisciplinary incident response plan to prepare for such attacks.
Earlier in the year, the UK government came under increasing scrutiny for its approach to cybersecurity, after it emerged the WannaCry ransomware made use of a known weakness in outdated Windows software. This follows reports made as early as December 2016, which claimed 90% of NHS trusts still ran on Windows XP, for which Microsoft had stopped providing security updates in April 2014.
Prime Minister Theresa May and NHS Digital at first stated they were unaware of compromises in patient records resulting from the attack, however Home Secretary Amber Rudd has since confirmed “may” have been lost – having initially refused to confirm concretely if patient data had been backed up. In a statement following the hack, Rudd also confirmed the NHS would finally upgrade its software in the wake of WannaCry.
Shahryar Shaghaghi, Head of BDO's global Cybersecurity arm said “Ransomware presents a growing threat to every industry, but healthcare organisations are particularly vulnerable. Their digital transformation came late, and the simple reality is that many IT systems weren’t installed with cybersecurity in mind. Because many hospitals rely on end-of-life technology and may prioritise immediate data access over data security, cybercriminals have found their systems relatively easy to penetrate.”