Industry voiceWednesday 16 May 2018

Cyber security comes down to risk mitigation

Industry voice: There is a need for a balance between getting on with business and focusing on defences, writes Stuart Aston, national security officer at Microsoft UK

Cyber attacks are an inevitable feature of modern life. They are bound to happen in a world where so much of our personal and organisational business takes place online, and where digital systems have become repositories for vast quantities of sensitive data.

We are living in a world where there is a constant risk of systems being attacked, and the realistic approach to protecting against this is to accept the inevitable and take steps to mitigate that risk.

This was a recurring theme of a UKA Live discussion in which I recently took part with Geoff Connell, chief information officer of Norfolk County Council and current president of public sector IT association Socitm, Andrew Haywood, senior project manager in NHS Digital’s Data Security Centre, and Helen Olsen, publisher of UKAuthority.

One of the most telling comments was that there will certainly be a repeat of an incident on the scale of WannaCry, the ransomware attack that disrupted IT systems at 81 English NHS trusts and 595 GP practices – leading to cancellations of operations and appointments in some – in the spring of 2017.

But there is also a constant campaign of low level probing by hackers. We have to understand that criminals want to make money in the cheapest and easiest way possible, and that cyber crime, including ransomware attacks on public authorities, will often involve less risk for them than most other types of crime.

Intensification

The ways they exploit technology are intensifying the risk. For example, phishing attacks – emails aimed at obtaining access to sensitive information – are becoming more sophisticated, often providing links to credible-looking websites

In response, organisations throughout the public sector have to make it is as difficult as possible for the criminals, and be prepared for another attack on the scale of WannaCry. The risk cannot be eliminated, but steps can be taken for its mitigation.

The first step is to enforce basic cyber hygiene. Geoff Connell likened it to ensuring that your car is always locked, parked in a safe spot and that you take the keys with you.

There is plenty of relevant guidance available from sources such as the National Cyber Security Centre and NHS Digital’s Data Security Centre, and the prime lessons to emerge from the WannaCry incident were the importance of not hanging on to obsolete operating systems and staying up-to-date with the software patches.

The discussion acknowledged a big factor – that taking those steps comes at a cost, and that security teams may struggle to make the case for funds in organisations under severe financial pressure. It also highlighted some of the key points in making the case.

Board responsibility

One is that the organisational board has the ultimate responsibility for cyber security. If services are hindered or have to be withdrawn because of an attack, they will be tarnished by any evidence that they declined to make sufficient resources available for the defence.

It is also important to keep in mind the financial and time costs of things going wrong. For example, WannaCry put some NHS trusts in a position where, for a few hours or days, many of their clinicians and nurses could not get on with their jobs properly – amounting to a significant waste of staff time.

Similarly, as local authorities move more of their services online, there can be severe implications if those channels are closed down by a cyber attack, with the public forced instead to revert to the telephone or drop-in points and taking up much more of council officers’ time. The costs of disruption will often exceed the investment in cyber defences.

Then comes the issue of reputational damage, with the public losing faith in those at the top of an organisation. This is especially intense in local government where a political party can lose control of a council due to public mistrust.

There has been a problem in the past with the cyber specialists presenting the argument in terms that are difficult for outsiders to understand, and one of their priorities should be to demystify the threats and present them as risks to the business. The key is in making it easy for the board to understand.

Sharing intelligence

It is also possible to reduce some of the costs by sharing experience and intelligence with other authorities. There are mechanisms such as the CareCERT portal for bulletins, notifications and information sharing on threats within the NHS, and the Warning, Advice and Reporting Point (WARP) services for specific communities in the public sector. There are other ways of sharing with each other, and using these can remove some of the effort and cost from staying alert to current threats.

The public and private sectors can also work together. For example, Microsoft and NHS Digital have a Customer Support Agreement in place aimed at minimising disruption to NHS services and patients from cyber threats.Open to all health and care organisations it provides the building blocks for a more secure IT environment such as patching for medical devices operating on older systems and a sophisticated Enterprise Threat Detection (ETD) service creating a centralised approach to monitoring and identifying any potentially malicious cyber activity. (Since the discussion this has been followed by the deal to give healthcare organisations free access to Windows Defender Advanced Threat Detection.)

Collaboration is essential for gaining value from cyber security efforts. But there must also be a recognition that a balance is required, in which an organisation acknowledges the risk, assesses the costs of mitigation, and decides how much of that risk - and in which areas - it can live with.

Each organisation will find its own balance, but all will have to take the risks seriously and be ready to take the basic steps of enforcing cyber hygiene, assessing how to take a proactive approach to defence, and trying to stay one step ahead of those who pose the threat.

We cannot eliminate the bad guys, but we can make it a lot more difficult for them to carry out their plans. Any organisation has to get behind its cyber security professionals to make this possible.

This is just a taster of the observations and suggestions to emerge from the debate. You can watch it in full below: