This week, we discuss a cyber attack on England’s biggest NHS trust, the appointment of Rudy Giuliani to a White House cyber security committee and new research into the biggest threat to critical infrastructure (hint: for once it’s not cyber attack).
Hello and welcome to the IT Governance podcast for Friday, 20 January 2017. Here are this week’s stories.
Barts Health Trust – the largest NHS trust in England – has reported that a cyber attack forced it to take some systems offline on 13 January. The trust, which runs The Royal London, St Bartholomew’s, Whipps Cross, Mile End and Newham hospitals in London, said earlier this week: “The incident was caused by Trojan malware, not ransomware. The particular virus has never been seen before and, whilst it had the potential to do significant damage to computer network files, […] measures to contain the virus were successful.”
The high value of the data they hold means that healthcare organisations have seen a sharp increase in cyber attacks over the last year or so. Indeed, according to the latest stats from the Information Commissioner’s Office, the health sector accounts for more data security incidents than any other.
A spokesperson for NHS Digital told the Guardian: “This issue highlights the fact that there are threats to data security within the health and care sector, as with any other sector. We remain committed to supporting the protection of data with the highest possible security standards, high levels of security expertise from the centre and appropriate training and awareness of the risks for all staff.”
Rudy Giuliani, the former mayor of New York City, has been given a new role by President-elect Donald Trump (or, if you’re listening to this after Friday’s inauguration, President Donald Trump): heading a White House committee of private-sector cyber security experts.
Appearing on Fox News, Mr Giuliani said: “The idea here is to bring together corporate leaders and their technological people. The president will meet with them on an ongoing basis as well as anyone else in the administration. […] I’ll coordinate the whole thing.”
Giuliani’s appointment has attracted considerable derision from cyber security experts, especially as the website of his cyber security consultancy firm, giulianisecurity.com, was found to be riddled with vulnerabilities that made it easily hackable. (At the time of recording the website appears to have disappeared altogether.)
While the irony is of course enjoyable, it’s important to remember that new vulnerabilities are found all the time and previously fixed ones can be reintroduced. That’s why it’s important to ensure that you keep your software up to date, apply patches as and when they’re released, and conduct penetration tests at least annually – and after significant infrastructure changes are made – to determine where your security falls short so that you can fix any vulnerabilities you might have before they’re discovered and exploited by cyber attacks.
Finally, squirrels. Security researcher Cris Thomas runs the Cyber Squirrel 1 project, which has been tracking power cuts caused by animals. And he has concluded that the damage done by cyber attacks on critical infrastructure since 2013 was actually minimal compared with the threat posed by animals. According to Mr Thomas, who spoke at the ShmooCon hacker conference in Washington DC this week, animals have been responsible for 1,700 incidents, affecting nearly 5 million people. Squirrels were responsible for 879 ‘attacks’.
According to the BBC, “Most of the animal ‘attacks’ were on power cables but Mr Thomas also discovered that jellyfish had shut down a Swedish nuclear power plant in 2013, by clogging the pipes that carry cool water to the turbines.” Eight deaths were also attributable to “animal attacks on infrastructure, including six caused by squirrels downing power lines that then struck people on the ground.” If you work in the critical infrastructure sector and are concerned about network and information systems security, you might want to consider adding wildlife to your risk register too.
Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.
And don’t forget that IT Governance’s January book of the month is EU GDPR: An Implementation and Compliance Guide. The new General Data Protection Regulation, which comes into effect in May 2018, affects every organisation in the world that processes EU residents’ data. Failure to comply could result in fines of up to €20 million or 4% of annual global turnover – whichever is greater. If you’re yet to start your GDPR compliance project, EU GDPR: An Implementation and Compliance Guide provides a detailed commentary on the Regulation, explains the changes you need to make to your data protection and information security regimes, and tells you exactly what you need to do to avoid severe financial penalties. Save 10% if you order by the end of the month.
Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.