PART FIVE: Are certain types of Organisations more at Risk?
Cybercriminals rarely set out to target one type of organisation or user over another. Often their primary motivator is financial gain. Clearly if they can get past the security systems of a big organisation which holds financial and sensitive information about hundreds of thousands of consumers this is going to be much more worth their while than hacking individuals.
We need only think of the large-scale breaches at HSBC and BA in 2018, both of which led to the loss of consumers’ personal financial data enabling hackers to access their accounts. However, often it’s a case of launching an attack and seeing where it is successful rather than targeting one company or organisation specifically. Having said this, there are some types of organisations which may find it harder to defend their networks from attack and routinely fall victim.
Cyber Security in the NHS
With 1.7 million employees, the NHS is the UK’s largest employer and has a workforce that is extremely widely dispersed. This presents significant challenges with different trusts adopting different cyber security strategies, and central mandates from NHS Digital difficult to enforce across so many locations and devices.
In May 2017, a number of NHS Trusts famously fell victim to WannaCry, the largest ransomware attack in history, which led to thousands of appointments being cancelled. The attack could have been avoided if security patches were up to date – something which NHS Digital had warned about when the fix was released two months earlier in March 2017. Other large organisations with multiple offices across disparate geographies face similar challenges, and for these organisations, it’s critical that this is considered and planned for at the outset. When putting together a cyber security strategy, start with the end goal and prioritise your strategy from there. Success and failure vary from organisation to organisation and different strategies are needed.
Legacy applications – an open door for cybercriminals?
In addition to a huge workforce, the NHS faces an additional challenge in that it also has compatibility issues – for example clinical and other mission-critical applications running on unsupported operating systems. With limited budget to upgrade these systems, hospitals are often left with no choice but to continue using these legacy systems, which leaves gaping vulnerabilities in their infrastructure.
Universities face many of the same challenges – huge amounts of people accessing the network, difficulty identifying and verifying every single request for access, and legacy applications and systems which are often found in research labs and cannot be updated for various reasons from budgeting to continuity within the research programme. For organisations in a similar situation where the use of legacy technology is not optional, we recommend implementing advanced endpoint protection solutions that can protect these unsupported systems from vulnerabilities and attacks. The other option is to isolate these devices from the network to limit access and the possibility of an attack spreading in the event of a cyber breach. Similarly, it is advisable to ensure no sensitive data is stored on these systems although in certain environments this is not possible.