Considering recent events which I am sure will dominate the news for a few days. There will be lots of analysis, focus groups, interviews, public outcry, investigations eventually some form of public inquiry all at the taxpayers’ expense. After all that song and dance, the flare for the dramatic and finger pointing at cyber criminals, national state actors or just some kid sitting in his living room that could purchase some ransomware online just to see what it could do. 74 countries in a coordinated effort, if that is case, it was probably the distraction, what was the real target? We know what the problem is. Under-investment in public services technology and clear lack of education.
Now god forbid, if there is however a direct loss of life because of what has just taken place with NHS digital, I would like to know what a proportionate response to such an attack would be? The UK government will need to wake up to the fact they are falling behind in the on-going cyber wars. With an investment into physical national security £35.1bn of which only £1.9bn was directed at cyber defence. This does not equate to me, considering a £30 toolkit can theoretically and in reality, bring a stop to our national health.
This is not a criticism. I am fully aware of the hard work that the national security agencies perform in keeping the UK national critical infrastructure safe. They are the unsung heroes of the digital age and do not get enough credit for the things they stop, that the public are unaware off and cant share. This is not helped when other nation states develop the technology in the first instance and that is used against the public.
We all need to take stock – there is no such thing as 100% security in the digital world. The most vulnerable tend to be the small to medium sized business rather than the large corporate. You can avoid being a victim of cyber-crime, that means investing in some simple things, go back to basics. You can invest in the smartest, most expensive, interactive and intelligence based systems as you like. However, that is all pointless if your staff are not given the right education. In most cases, ransomware requires the recipient to take some action.
Its 2017, why are people still falling for these very simple infiltration techniques. The technology you have may be used as preventive measure, but even that cannot determine zero day attacks. A lot of the firms that sell you anti-virus / anti-ransomware are likely to be playing catch up. Not all that technology is attainable to small or medium sized business. The cost will normally outweigh the risk, I would urge all small / medium sized business owners to think again. If the first line of defence has failed, it is up to you and your employees to have enough understanding of the risks they are exposed to and are exposing your firm’s information assets to.
There is no quick fix solution. If you are a small or medium sized business in the UK there are lots of firms that can help. But technology alone is never the solution and done is abstract or isolation may cause your further problems. My advice, take a step back. Look at what is important to you and your business, determine the cost of that if you were breached, suffered a loss, unable to trade because of a cyber incident. Would your business be able to recover? Focus and protect what is important, determine the right level of control based upon actual threat and have a mechanism to test it.
Most importantly Education, Education, Education is the only real way forward for any of us at the coal face to adequately protect information and technology. If you have a small or medium sized firms including any charities and are based in the UK and have been impacted by recent events and would like some advice or guidance please do reach out to me, will be happy to help. I would also encourage better and more active public / private sector partnerships to help combat these issues we all collectively face.