If ever there was an article that started with a prediction that came true – it was our very first post of 2017, looking at the year ahead.
We quoted John Chambers, CEO of Cisco who had recently said “There are two types of organisation: those that have been hacked and those that don’t know they’ve been hacked.” We predicted it would increasingly be a case of ‘not if but when’. And, as we all know by now, this year it was very much ‘when’.
So, join us for a look back at some of the cyber security issues and incidents we covered in 2017.
Bad news often comes in Threes
For large organisations holding thousands of customer data records, 2017 got off to an embarrassing start. In January, a denial of service hack at Lloyds Banking Group, over a period of several days, tried to block access to 20 million accounts. Around 43,000 people were affected by a cyber-attack on travel body ABTA’s website in February. And March saw mobile phone provider Three experience a major breach when an employee’s password was stolen and 200,000 customers’ data was compromised.
In April, Ascentor covered the next big attack where payday money lenders Wonga found 270,000 customers’ details had been stolen – including the last four digits of bank cards. We used the example of Wonga and earlier attacks to make the point that basic cyber security measures would give organisations a substantially better chance of avoiding the damage caused by a cyber-attack , not to mention the ‘wonga’ involved.
But if attacks on large commercial organisations made the headlines, that was nothing compared to when the NHS found their security vulnerabilities let the WannaCry virus in.
Ransomware – it was enough to make the NHS WannaCry
The month of May brought the WannaCry global cyber-attack that saw 47 NHS Trusts, hospitals and GPs’ surgeries become the most high-profile victims of ransomware. The National Cyber Security Centre (NCSC) later described it as its biggest test of the year in their own review of 2017. The WannaCry virus appeared in over 100 countries but its impact on the NHS probably received the most coverage – and proved to be a powerful case study in why it’s important to take the threat of ransomware seriously.
A relatively small number of NHS organisations were infected by the WannaCry ransomware, but it was the news of the cyber-attack that caused other trusts to close down their systems as a precaution – which is where the real impact was felt.
It turned out that NHS organisations had been offered a security patch earlier in the year before the WannaCry cyber-attack, but many had not applied it, leaving themselves vulnerable. As a result of WannaCry, we wrote an article bringing all our ransomware guidance together .
But the NHS weren’t the only ones leaving their data under threatâ€¦
What will it take to convince your board about cyber security?
Ascentor noticed a recurring message in many of the surveys about cyber security. A high number of businesses say that cyber security is an important issue – but a low number report any evidence of actually doing something about it.
The Cyber Security Breach Survey 2017 published in May illustrated this perfectly. IPSOS MORI interviewed 1,523 UK businesses. In 74% of cases the directors or senior management said that cyber security was a high priority but only 20% provided staff with cyber security training – and only 33% had any formal policies in place.
We felt that while board level executives recognising the problem was positive – a worrying number didn’t seem to be taking any action. So we published our first Slideshare called ‘ Convince your board: Cyber-attack prevention is better than cure ‘. Designed for anyone concerned about the growing threat of cyber-crime to their organisation, it covers how to overcome some typical vulnerabilities.
GDPR – the clock is ticking louder
You could be forgiven for not having heard about GDPR at the beginning of the year – but now? Only those returning from a year-long sabbatical in outer Mongolia could claim any excuses. GDPR was given extensive coverage by Ascentor throughout 2017 – and our consultant Paul Trethewey attained the Certified EU General Data Protection Regulation Practitioner qualification which is accredited to ISO 17024.
Coming into law in May 2018, GDPR will provide a single, harmonised data privacy law for the European Union – but GDPR will present implementation and compliance challenges for organisations, particularly in the public sector where the appointment of a Data Protection Officer (DPO) will be mandatory. This is perhaps why, of all the GDPR topics we covered in 2017, our in-depth look at the DPO role fast became one of the most popular Ascentor articles. Are you tasked with resourcing a DPO? You’ll find help here: Do you really need a Data Protection Officer (DPO)? ‘
BIM – why cyber security can’t leave the building
Elvis might have left the building long ago, but, as we covered in a series of blogs on Building Information Modelling (BIM) this year, security surrounding the data involved in modern-day construction projects needs to be safe from threats – and remain in place long after the end of the build.
Earlier in 2017, we looked at an introduction to the topic of BIM and covered implementation in a two-part blog series . We returned to the topic in November at the UK Security Expo where Ascentor’s Steve Maddison presented the third of his series, covering BIM, Security and the Building Lifecycle . This article demonstrated how the risks to information on construction and refurbishment projects change over the course of the building lifecycle, and what measures can be put in place to manage those risks.
Are you sure it ‘ s just an RMADS you need?
Readers of the Ascentor blog will know that we often cover topics relating to the MOD. Over the years we’ve looked at the Cyber Security Model for the Defence Industries (CSM), the importance of Cyber Essentials to MOD projects and tips for Security Assurance Coordinators on MOD projects. In September we addressed the case for a considered approach to Information Assurance on MOD projects, asking the question ‘ Are you sure it’s just an RMADS you need? ‘
The RMADS (Risk Management and Accreditation Document Set), might be fine for a simple risk assessment, but our article addressed a list of things that could make an RMADS in isolation a potentially dangerous weapon.
The NCSC celebrated its first year in October
In its first 12 months of operations, the NCSC has prevented thousands of attacks, provided support for the UKArmed Forces and has managed the UK’s response to hundreds of incidents. At the same time, the NCSC received 1,131 incident reports, with 590 classed as “significant”, according to the agency’s first annual review.
The NCSC’s first duty is to manage and mitigate against attacks. To mark their first year, they published a report showing the progress made working with government, industry and individuals. Available as a download , it covers the cyber threat today, WannaCry, incident management and how they are building the UK’s defences.
So, we’ve nearly reached the end of 2017 and, looking back, Ascentor has covered most of the big topics but, if you were to ask us what we feel will dominate 2018, it would have to be GDPR.
If, as reported, large numbers of UK organisations are still unprepared, then we can only see a potential rush towards compliance where many run the risk of not reaching the 25th May deadline. With heavy fines for non-compliance, this could be the balance between remaining in or going out of business.
But, let’s end the year with a positive message. You don’t have to be the NCSC to implement effective cyber security in your organisation. Basic and affordable measures can and do prevent attacks. Even though the threats may change – so do the solutions. Thank you for reading our blogs this year, we look forward to covering more cyber security issues across 2018.
For further information
If you’d like to discuss how ourconsultants can advise on any aspect of Information Assurance and cyber security, please contact Dave James, MD at Ascentor.
Email: [email protected]
Office: 01452 881712