How did the WannaCry cyber attack manage to disrupt the NHS so badly? Do you know how to stop something similar happening to your business?
It’s highlighted the real scale of the impact the attack had, and has identified a number of failings which contributed to the disaster:
- lack of patching
- lack of migration away from old, unsupported software (especially Windows XP)
- lack of oversight of their IT systems
- lack of tested disaster response
- lack of firewall management
…the list goes on.
In hindsight, it all seems quite straightforward, but if the NHS can get it so badly wrong, so can many other businesses and organisations.
So, what can we learn? As this has shown, there are a number of ways to protect against these risks, and it’s not brain surgery!
8 Ways to Vaccinate Your Business Against Cyber Attacks
1. Install patches
Patches are released for a reason, yet only 36% of SMEs patch their machines. Good patch management will reduce vulnerabilities and ensure your software is up to date with the latest bug fixes and security fixes. Maximise your protection by always installing patches as soon as they are released and ensuring all devices are covered.
If you fail to install patches on even one device, it could leave your whole business at risk.
2. Migrate your old operating systems
Did you know that 52% of UK businesses still have at least one machine running on Windows XP? And did you know that Windows XP hasn’t been supported since April 2015, meaning it represents a significant security risk? Windows XP is a good example, as WannaCry exploited this unsupported operating system to breach the NHS systems.
A failure to invest in migrating to the latest operating system can cost much more in the longer term.
3. Monitor and gain oversight of your IT systems
The WannaCry attack highlighted a worrying lack of oversight and monitoring of NHS IT systems. Despite having issued specific advice & guidance to the NHS regarding patching and software migration, the Department of Health had no mechanism in place for checking if this had been followed. Better oversight of the IT systems would have flagged up the lack of response much earlier and would have meant action could have been taken to follow up.
By monitoring your systems and staying on top of all alerts, updates & activity, you can give yourself the best chance of spotting potential risks and being able to react quickly.
4. Boost your email security
With 91% of cyber attacks starting via email – including, of course, the WannaCry attack on the NHS – there is no excuse not to invest in email security. Protect yourself from email attacks by installing antivirus & malware software on all company devices and ensuring any updates are applied as soon as they are released. By catching attacks at this stage, you have the potential to save your business from a huge amount of disruption and cost.
Read our previous blog post for 4 quick tips to boost your email security.
5. Manage your firewalls
Despite their unpatched systems, if the NHS had secured & managed their firewalls, this simple step could have helped protect them from the WannaCry attack and guarded them against infection by acting as a second line of defence.
By managing your firewalls effectively, you can greatly improve your chances of protecting your business if you experience a cyber attack.
6. Isolate your vulnerabilities
Many businesses have legacy systems which are still in everyday use for various reasons. These outdated systems are typically unsupported & unable to withstand a cyber attack, and represent significant points of vulnerability to your business. It is important to critically examine the reasons why these systems are still being used and consider alternative options.
Once these points of vulnerability have been identified, you can take action to reduce the risk, such as isolating them from the network so they can still be used but don’t leave a hole in the network’s security.
7. Test your response plan
When WannaCry infected the NHS, the response was hindered by a lack of preparedness. Although the Department of Health had a plan in place, it had never been properly communicated or tested at a local level, leading to confusion, communication issues, and significant disruption which could have been avoided.
To ensure you’re ready to respond quickly & efficiently, ensure cyber attack is on your list of disaster planning scenarios and test your response as a priority.
8. Budget ahead
In the case of the NHS, the reason some computers were still running on Windows XP is that some vital medical equipment was so old that it wasn’t compatible with newer versions. With new equipment & systems often representing a significant financial outlay, it’s easy to understand why businesses are reluctant to replace old ones if they still work. However, the cost of a cyber attack facilitated by unsupported legacy systems can far outweigh the investment required to modernise them.
To significantly decrease your security risk, plan your company finances to prioritise the replacement of old equipment, so new options which are compatible with current operating systems are made available.
The final diagnosis...
WannaCry was only one of many cyber attacks to affect UK organisations this year. From other major worldwide attacks such as Petya and Bad Rabbit, to the thousands of smaller scale attacks which didn’t make the headline news, there’s no doubt that cyber attacks continue to pose a significant risk to UK businesses of all sizes. If you don’t want your company to be the next victim, it’s time to scrub up, cough up and invest in protecting the health of your business.