The recent ransomware attack on the NHS and over 30,000 companies globally has brought cybercrime to the top of the risk and news agenda. According to the Institute of Risk Management’s Patrick Keady, legacy systems and a lack of basic understanding of risk may underpin the vulnerabilities in these organisations.

“The NHS is unusual because it has so few people with the skills to fundamentally understand risk across the enterprise. While the NHS in England employs 1,300,000 workers, it has just 27 partially or fully trained and experienced enterprise risk managers. At the same time, it is reassuring that most of the NHS organisations affected by Wanna Decryptor, say they have plans in place to react to the impact of the malware,” Keady says.

Keady is also an IRM board member and chair of the IRM Health and Care Sector interest group, and in his experience, out-of-date systems have hindered the NHS and other organisations for years.

“We have known for years that increasing amounts of IT software and hardware used in the NHS are simply out-of-date and no longer supported by their manufacturers. NHS bosses really do need to take major steps now, to prevent similar episodes and the accompanying disruption to patient services,” he adds.

Keady conducted his own research into current risk registers of the 34 NHS Trusts and Clinical Commissioning Groups reported to have been affected by the cyber-attack.

Through a deep-dive of over 8,500 pages of board papers at the 34 organisations affected, he discovered an excess of information and the lack of a streamlined data management system. The 34 NHS board papers are over-crowded with information, with one set exceeding 400 pages.

NHS review: the main findings

• 10 organisations publish Risk Registers online.
• 13 publish Board Assurance Frameworks online, a requirement introduced by New Labour circa 2004.
• Nine do not publish risk registers or board assurance frameworks online.
• Two Trust websites were off-line yesterday.

Keady singled out Mid-Essex Hospital Services NHS Trust, the only Trust to mention cyberssecurity in their Board Assurance Framework. “Risks in almost all of the 34 organisations affected on Friday, are generally ill-defined and do not relate to the organisations’ strategic objectives. Instead they tend to refer to operational programmes and targets will be achieved or not”.

Lack of awareness

A 2016 survey of IRM members showed that cyber risk and the insight into the changing nature of cyber and IT related risks, including data breach, hacking, theft of IP, cyber fraud and commercial sabotage was one of their most pressing concerns. According to chair of IRM, Nicola Crawford, the fact that this cyber-attack has affected more than just the health sector and has impacted on companies globally reveals just how crucial a basic understanding of risk can be for businesses.

“We live in an increasingly networked world, from personal banking to government infrastructure. Protecting those networks is no longer optional – the internet of things means enterprise wide risk management, including cyber security policy, has never been more important,” she says. “Cyber risk is now firmly at the top of the business agenda globally as high-profile breaches raise fears that hack attacks and other security failures could endanger the global economy. Ransomware and data breach can have catastrophic consequences including loss of life”.

A report from earlier this year reveals that the risk in 2016 was four times higher than in 2015. Risk in 2017 is expected to be worse.

“The speed at which this virus has affected companies around the world shows the impact these hackers can have. Patient’s records may be at risk of being leaked, operations have had to be rescheduled, ultimately putting lives at risk,” says Alexander Larsen, president of Baldwin Consulting and IRM cyber expert.

“Going forward we can only expect hackers to become more organised and well-funded, which, alongside advances in AI and technology, will lead to more sophistication in their attacks. Some organisations are already spending hundreds of millions of pounds on cyber security, whilst governments are spending billions in order to prevent these attacks, but experts warn that it is impossible to stop these attacks and that organisation’s should also be focusing on business continuity and recovery whilst also safeguarding their reputation which could be severely damaged if the incident is not managed correctly”.

Lack of monitoring

New research from risk management consultancy, Lockton, which surveyed 200 senior decision makers responsible for cyber security, prevention and resolution, shows huge perception gap over cyber risk preparedness. Only 8 per cent of UK organisations check if they are being hacked every day.

Government figures estimate that seven in 10 large companies experienced a cyber breach or attack in the past 12 months. Lockton senior vice president (Global Cyber and Technology), Peter Erceg believes early detection is the best first defence to preventing significant loss or damage.

“You can never completely prevent a cyber breach, but proper training is a critical line of defence. In most cases, cyber attackers gain access through a member of staff, so its vital employees are trained to recognise suspicious or fraudulent activity. With the threat of cyber-attacks increasing exponentially there is no excuse for companies not to be investing in the development of a robust mitigation plan, underpinned by a set of employee policies and guidelines,” he says.

The cost of a data breach can run into millions of pounds, with the average cost per lost or stolen record at £102.

Despite this only 8 per cent of UK organisations check to see if they are being hacked every day. Almost a third only do so at least once a month while a quarter only use detection hacking methods every two to three months.

Lack of board engagement 

Many companies are also failing to involve relevant stakeholders in cyber-breach scenario planning. Just 50 per cent of organisations say the board is in any way involved, with other key figures such as the head of PR and communications and head of HR also excluded.  

In contrast, 96 per cent of those surveyed say the head of IT is involved, alongside other key figures including risk management and operations.

Consequently, just 26 per cent of companies say the board is the most influential figure in terms of decision making for cyber-breach scenario planning, compared to 42 per cent who say it is the head of IT and 28 per cent who cite risk management teams.

“The lack of engagement by key stakeholders is worrying. The Board needs to be intimately involved in cyber breach planning to allow them to constructively challenge their head of IT and other key members of staff to demonstrate how prepared their organisation is, and identify when this preparedness is being exaggerated,” says Erceg. “The outputs of a cyber breach are very much a board-level concern. They must be held accountable to ensure their organisation has an effective cyber risk management strategy in place, including sufficient protection to protect critical corporate assets.”

Human error goes unchecked

UK organisations are also failing to mitigate the high risk of human error causing a cyber breach. More than a quarter of UK organisations admit not all of their staff are aware of the correct procedure and who to contact in the event of a cyber breach, while a similar proportion say new staff are not made aware of the cyber security processes and procedures in place within their company. Almost a fifth do not regularly update staff with the latest news on dealing with potential cyber security breaches.

Given the four most common types of cyber breach – fraudulent emails, viruses, spyware and malware, impersonation and ransomware – are all linked to human factors, staff awareness and understanding should be treated as a crucial part of cyber breach prevention.

“You can never completely prevent a cyber breach, but proper training is a critical line of defence. In most cases, cyber attackers gain access through a member of staff, so its vital employees are trained to recognise suspicious or fraudulent activity,” Erceg adds. “With the threat of cyber-attacks increasing exponentially there is no excuse for companies not to be investing in the development of a robust mitigation plan, underpinned by a set of employee policies and guidelines.”

The global WannaCry ransomware attack

• Friday, over 50 hospitals, doctors, surgeries and pharmacies hit by Wannacry
• Virus targets older software such as Windows XP
• Seven acute hospital Trusts still diverting patients up until last night
• Warning as PCs switched back on after attack
• Over 29,000 institutions hit in China
• Cyber-attack a wake-up call
• Some NHS trusts still affected
•  Over £30,000 paid out in ransoms so far, according to the BBC
• Operations and GP surgeries still affected
• Second variation to virus now infects more systems
• Nissan Sunderland, German rail network Deutsche Bahn and US delivery giant FedEx are among 200,000 companies in 150 countries known to have been affected, others include Renault
• Despite reports Sir Michael Fallon confirms Vanguard submarine is safe.