Cyber Security: Prevent the Preventable, Mitigate the Inevitable.

Cyber Security for the Internet of People.

The weather was changeable all day but during our morning IT Directors Forum meetings it was glorious with clear views over the Channel Islands from the Horizon Restaurant on deck 12 of the P&O Aurora. Mr Hodges and I were discussing cyber security incidents with two of our old friends and long-standing customers. One of them had recently suffered a cyber security incident and although he and his team were on top of the problem he shared the fact that his network had been involved in a cyber security incident on LinkedIn. I firmly believe this is the right thing to do as it sets a great example to other organisations that it is OK to share information about these experiences, and by sharing this information it encourages us all to be more vigilant.

As our customer’s incident was shared openly on LinkedIn he did not go into any of the technical detail, however, the fact that he was prepared to share the fact that his cyber security had been compromised is a positive step forward. We all agreed that it is impossible to protect against everything and given the law of averages, every business will be directly affected by a security breach at some time in the future. Even if they have already experienced a breach – lightning can and often does strike more than once in the cyber security world. Our conversation led to the six-word summation: ‘prevent the preventable, mitigate the inevitable’ and Mr Hodges asked me to write a blog with this as a title. I made some notes from our discussion and planned to schedule this blog to follow on from the IT Directors Forum review blog but events about to unfold at that time led to this blog taking the lead.

” We were all actors in this global production as it toured the world at near light speed.”

It is very strange how life pans out and a short while later BBC news flashes were appearing on my Apple Watch with alarming regularity. News was coming in about the extensive cyber security breach affecting multiple NHS Trusts. There were several NHS Trust IT Directors and managers on board Aurora moving around the ship trying to get a reliable mobile signal from one of the islands. But, unfortunately, just as the crisis really began to unfold we set sail for Southampton and would soon be beyond reach of the mobile antennas on the Channel Island or France.

Mr Hodges also received a message from our own technical team informing him that they were taking preventative action with some of our customers, including one with connections into the NHS, to remove the threat while the NHS IT teams were investigating the attack.

I felt for the NHS directors and managers on board Aurora last week. They would undoubtedly come in for some criticism sooner or later as that is usually the way these things pan out. But, right now the focus was on understanding the problem and preventing the attack from spreading further, followed by a clean-up operation. We had, only a few hours before, been discussing that cyber attacks and breaches are inevitable and here we are in the middle of a global cyber security incident. Not as the audience, we did not have that luxury. We were all actors in this global production as it toured the world at near light speed.

“…over the weekend we heard from a number of ill equipped NHS spokespersons representing their Trusts.”

While enroute to Southampton I only caught a few snippets of information until about 0300 when we were within mobile range of the mainland and a stream of BBC News flashes appeared on my mobiles and we could get a sense of the scale of the attack. Then over the weekend we heard from a number of ill equipped NHS spokespersons representing their Trusts. One NHS spokesperson said 5% of the NHS PC estate still have Windows XP operating system. A security specialist mentioned that this was tens of thousands of PCs. He also pointed out that the NHS were paying for special support from Microsoft to keep XP going but stopped paying the maintenance fee during 2015. Bearing in mind with the breach we are experiencing now it only requires one vulnerable device, one weak link, to be compromised to cause severe and costly damage. Another spokesperson said the XP machines were all due to be upgraded but the budget was cut and they ran out of money.

Another NHS spokesperson was getting as much mileage as possible out of the fact that their Trust was doing their own thing and were not affected by the WannaCry breach. Is it really a good idea to break away from the pack and do your own thing when you are part of an overall larger organisation? Do you really want to put your head above the parapet and claim to be holier than thou while all around you are suffering for their sins?

While on this subject there are the inevitable political rants blaming one party or another for their lack of investment in the NHS. Inevitably, blame rears its ugly head. The further up the food chain you are the more resilient you are to blame. MPs – especially senior MPs – are used to blame. They hide behind an armour of carefully crafted words to ensure they minimise damage from the stones thrown by the general public, the poisoned darts from their political opponents and guided missiles from political journalists.

“What does any of this do to help us resolve this situation and avoid us getting into a similar situation in the future?”

But, what about further down the food chain? The people in the front line coming in to work every day, working just as hard and diligently as the senior people in the organisation? Blame leads to individuals feeling guilty, threatened, under attack, isolated, depressed and in some extremes even suicidal. What does any of this do to help us resolve this situation and avoid us getting into a similar situation in the future? What impact does a scapegoat have on the perpetrators?

On my return to the office on Monday, one of my colleagues told me of an IT technician in a local authority who was not prepared to take responsibility to disconnect a link into the NHS network to protect their infrastructure until the integrity of the network could be determined. The technician suggested telling the entire user community to be vigilant and to protect their individual devices independently because he didn’t have the authority to shut down the switch port and disconnect the service. It would be easy to accuse this person of being a ‘jobsworth’ but it is the system that is wrong. There were no policies or procedures in place to ensure this individual could safely pull the plug without fear of disciplinary action.

“…if we are going to have any chance of winning the majority of the battles we must create a supportive environment for our staff.”

We cannot hope to win the war against the cyber-criminals but if we are going to have any chance of winning the majority of the battles we must create a supportive environment for our staff. This seems to be in complete contrast when you consider the numerous cases of ‘whistle blowing’ in the NHS. Horror stories of careers coming to an end and experienced staff being victimised for speaking out against inappropriate staffing levels, bad conduct and negligence. If this is how we treat our hard-working nurses, healthcare assistants, doctors and consultants I cannot believe for one minute that we would treat staff any different if they were found to be involved in a cyber incident.

Many years ago, I watched a BBC Horizon programme about plane crashes caused by pilot error. One of the greatest criticisms by the investigators related to the chain of command on the aircraft. Airlines maintaining a strict line of unquestionable authority were more likely to suffer life threatening events as a result of pilot error. If the pilot ran his aircraft with a regime of fear, the crew members were very unlikely to raise any concerns even if they predicted the worst. At the time the investigators concluded that Virgin Airlines were the safest airline to fly with as they empowered every crew member to speak out if there was anything that concerned them, without fear of victimisation.

Clearly, organisations ruled by fear run the risk of sustaining the most damage in these situations. People need to be educated and empowered and protected by detailed policies and procedures that are acted out in the event of a cyber incident like the one we saw on Friday. Our staff need to feel safe in challenging an email that appears to be from their CEO asking for an urgent funds transfer. They also need to be extremely diligent before opening the attachment that says, ‘Invoice’ or clicking on the link in the email you just received from one of your ‘colleagues’. They must question whether this is from their colleague.

“The second event, only last month was a Cyber Incident Simulation and many of the points of the simulation rang alarmingly true with the WannaCry incident last week.”

In addition to this, we must get into the habit of reporting any attacks or breaches so the data can be analysed and the intelligence put to good use. Some of the larger banks are already sharing information with positive results. The Cyber Defence Alliance, based in the City of London, was created in 2015 by a small group of banks to share information on cyber crime activities with the banks and law enforcement agencies. The staff come from the participating banks and police officers from the UK National Cyber Crime Unit.

The Cyber Defence Alliance are growing in capacity and capability and are learning new techniques to combat cyber crime. Timing is critical so if one bank comes under attack and they share the information in real time or near real time then it allows the other banks to prepare against the attack should it come their way, thus limiting wide scale damage. Admittedly, the sharing of information does nothing to help the bank under attack at that time but the combined information is useful intelligence for those tasked with locating and disabling the cyber criminals.

The Information Technologists Livery Company are running three educational events each year. Our first in January this year featured five expert speakers on the topic of ‘The Economics of Cyber Security’. The main theme of that event is to be prepared and have your playbook ready so everyone in your organisation knows what is expected of them and when. The second event, only last month was a Cyber Incident Simulation and many of the points of the simulation rang alarmingly true with the WannaCry incident last week. As part of our simulation the IT Director was out of circulation in Las Vegas and could not be contacted. Just like our NHS Trust Directors on Friday.

“…I’m only human after all, don’t put the blame on me.”

Another key theme of our Board Room Cyber Security Events is the human element. We are all human and no matter how diligent we are we are going to have that momentary lapse of concentration and click on the link or open the attachment. At the beginning of last week I received an email that looked as if it had come from Mr Hodges. ‘Steve’ suggested I click on the link and I was within a hairs breadth of clicking it but changed my mind and decided to check the header. Lo and behold it was from some nefarious character with a dodgy email address. I immediately sent an email to the entire team to warn them to be on the look out for similar emails. One of our team wasn’t so lucky a couple of years ago. I had just sent an email to all staff warning of an increased activity of fraudulent emails and within two hours one of our team clicked on a link in one of these emails and we were hit by crypto-locker malware. Fortunately, the device was isolated almost immediately reducing the impact of the breach.

As I write this blog and listen to news reports and interviews relating to the WannaCry ransomware attack I could hear Rag’n’Bone Man going through my head “…I’m only human after all, don’t put the blame on me.”

Links:

Action Fraud – the UK’s national fraud and cyber crime reporting centre.