Lessons from the NHS 111 cyber attack
Chris Butler, Managing Consultant, Databarracks
Reading about the cyber-attack affecting NHS 111 over the weekend, I was reminded of the Maersk cyberattack in 2017, in which one of the world's largest shipping companies, AP Moller-Maersk, fell victim to the NotPetya malware.
A company that is responsible for thousands of ships and hundreds of thousands of tonnes of shipping cargo, had to resort to managing this fleet using paper and pencil.
Likewise, we've seen NHS 111 staff recently resort to pens and paper, following the cyber-attack on a critical system that has shut down many services.
Technology has made organisations more efficient by automating manual tasks. However, this has also meant we’ve lost a lot of the manual processes we used to revert to. Manual alternatives will always be less efficient and more expensive, but they can keep you operating. Including “pen and paper processes” in your BCP doesn’t make you a luddite, it makes you prepared.
Cyber resilience & incident response
Cyber resilience should be a given these days considering the NCSC advice that it's a question of when, not if you are attacked. Having good response capabilities such as a SIEM and a SOC, good firewalls, IDS and IPS, cyber insurance, incident response on call 24/7 - should be the minimum expected.
But response is only a small part of overall business resilience. Equally as important are, from a technical perspective, good, isolated backups of your mission and business critical data, and the means to recover them in line with business requirements.
And, while the technical teams are looking at response and recovery, the business teams should be focusing on continuity measures – including those important manual or reversionary measures. You can’t hack a pencil! Futhermore, you can be sure that your senior leadership team will be involved, so I hope that your crisis management procedures include executive cyber response considerations.
Given most firms are in the world of hybrid working, how would you get together the right people to respond to an attack like this? Have you exercised your Business Continuity Plan with a hybrid team? If not, now is the time.
Securing the supply chain
And finally, the NHS 111 attack wasn't directly targeting the NHS, but rather one of its critical software suppliers (Advanced).
Major attacks on technology providers like Kaseya and SolarWinds have highlighted how vulnerable organisations are to attacks on their digital supply chain. Technology companies provide cyber criminals an avenue into hundreds or even thousands of organisations from a single breach.
This incident did not just affect NHS 111 staff, but also services in all 4 home nations, the Welsh ambulance service, prescription services and a care home management system.
Securing the supply chain is becoming increasingly vital. The NHS is better prepared than most for these kinds of incidents as it is governed by the Networks & Information Systems (NIS) Regulations.
The original 2018 NISD was incorporated into UK law by our own NIS Regulations. NIS2 aims to go further with more comprehensive measures for securing the supply chain when it is fully signed off by the EU. Post-Brexit, it’s unclear if/how the UK will adopt it but I am sure we will, somehow!
So, supply chain resilience very definitely needs to be top of mind. I'm still not convinced that many companies spend enough time assessing the true resilience of their critical suppliers and vendors - this means asking deeper, more searching questions, and completing a proper assessment of their resilience capabilities.
A resilient organisation looks after its ecosystem and has strong partnerships in its network.