Cyber security is not just about systems, it’s about process and understanding. The NHS sadly appears somewhat lacking in both…
You don’t need me to tell you that large swathes of the NHS have been hit by a ransomware attack. You might be forgiven for thinking that it was a targeted attack against the NHS, if you have been watching the TV news or reading the newspapers.
Actually, it was nothing of the sort, and those surgeries and trusts impacted by this were victims of a global attack. Organisations in around 190 countries, and ranging from universities to telecoms providers, postal services to the railways, have all been hit.
That this wasn’t targeted at the NHS was pretty obvious from the get-go, not least as the ransomware involved (WannaCrypt0r to be precise) is a known threat and the ransom demanded of between £230 and £460 is equally generic. If the attack was truly targeting an organisation the size of the NHS, even at a more local Trust level, you might imagine the actors involved would have set their sights a little higher. Especially given the huge risk they are taking. Attacks on this scale do not go without in-depth investigation, and the chances are the attackers will be caught, tried and likely jailed.
This was not an attack that was unexpected either, at least not by anyone with half a clue when it comes to IT security. Obviously, I don’t include the NHS Trust c-suites with control over budgets, or government, in this description.