The much-publicised cyber-attack that hit the NHS and many others on Friday appears to have come out of thin air. The vulnerability of the NHS systems has meant that, in this country at least, our health service appears to have been hit the hardest.
The cause of the outbreak and the vulnerability that it exploited will be documented in great detail over the next few days, but the basic point is that IT systems have bugs and that these bugs need to be patched as they are discovered to keep the system secure. There used to be a mindest in the computing world that you didn’t apply updates until they had been proven elsewhere. The view was that it was better to be ‘behind-the-curve’ and to let others apply updates that might break an otherwise reliable system.
We don’t live in that world any more. There are agencies and individuals who would target and damage your systems, your data and your company for financial gain and it matters not whether you are a large corporate or a local charity.
If you run a business or charity, then you are vulnerable, but not completely helpless. The UK government has published what it considers the ’10 steps to cyber security’ and it’s worth a read (link at the bottom of the page). The 10 steps are sensible, but first I think you should focus on just two.
- The first is that you should run your Windows updates and regularly. If your machines have not updated with 14 days then you’re out of date. Run them weekly and then restart the machine to make sure they have applied.
- The second is to understand that something has to happen before you can get infected. You have to open an email, click on a link or plug in a memory stick. Attacks that come through your firewall unprompted are vanishingly rare. Almost all start with an email to an unsuspecting member of staff. You can guard against this by talking to your teams, encouraging scepticism and rewarding those who detect issues.
The government wants you to protect your business. To do this they have developed two accreditations for business, Cyber Essentials and Cyber Essentials plus. We are certified for Cyber Essentials (as indeed all of your major suppliers should be). It demonstrates that we take cyber security seriously and it’s a certification you should consider.
The cost starts at just £300 and we have helped a number of businesses prepare for and achieve the certification. For many small and medium businesses, this also includes free cyber insurance.
What happened on Friday will not be a once in a decade event. Unfortunately, this looks like the new normal and it’s up to UK businesses to take sensible precautions to defend themselves.
If you’d like more help with your cyber defences, more information on the Cyber Essentials scheme or need help testing your current systems – then please do get in touch.
Simon Gray, Turncloud