Back in May 2017, WannaCry - a particularly nasty piece of ransomware - tore across the globe, infecting a quarter of a million machines in over 150 countries. The damage was widespread, with a range of entities affected including the NHS, America’s FedEx, Spain-based Telefonica, LATAM Airlines and German railway company Deutsche Bahn.
The WannaCry ransomware targeted a specific vulnerability in Microsoft Windows and wasn’t in fact an attack on unsupported software. In the NHS, devices that fell victim to the ransomware were found to have been running the unpatched (although still supported) Microsoft Windows 7 operating system. This allowed the cyber-attack to also be much more “infectious”.
Furthermore, the ransomware was easily spread via the internet, including through the N3 network which connects NHS sites in England together. However, there was no evidence of it being spread via NHS emails.
The WannaCry attack made news headlines at the time, with organisations across the world scrambling to tighten their IT security.
How serious was the WannaCry attack?
In the UK, WannaCry was the biggest and most damaging cyber-attack to have ever happened to the NHS before or since. It worked by taking over a computer and encrypting essential data on it so that it couldn’t be accessed unless the user paid a ransom of £230 ($300).
The NAO report that followed said no NHS organisations actually paid the ransom, but the financial cost (not to mention the stress) was still incredibly high.
Worryingly, 88 out of 236 trusts surveyed by NHS Digital did not pass minimum cyber-security standards in the months leading to attack. Critical alerts were deemed not to have been acted on, and a warning was sent out by the Department of Health and the Cabinet Office in 2014 to update vulnerable older software.
"Before 12 May 2017, the department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance."
Organisations could also have better managed their computers' firewalls - but in many cases they did not”, the report said.
So what has the WannaCry cyber-attack taught us?
According to the National Crime Agency (NCA), ransomware is still the most common type of cyber-attack to threaten UK businesses and individuals. The challenge remains in updating both technology and expertise to stand any chance of staying on top of it.
Small businesses in particular have more to lose from ransomware and other cyber-attacks than larger ones, as any downtime could actually put them out of business. The same could happen if the criminals also manage to drain their bank account.
Luckily, even whilst battling the effects of the COVID-19 pandemic, small businesses have prioritised cyber security. Indeed, 77% of micro and small businesses make cyber-crime a top priority (vs 69% in 2016, the year before WannaCry).
Why did WannaCry target the NHS?
Security experts say the NHS was (and is) a particularly appealing target for cyber criminals simply because health records are an extremely valuable asset. In fact, they can be worth more than ten times the amount that other data like banking details. The NHS as an organisation is also vast, but is under immense financial pressure. This has created the perfect storm of valuable data and often old or vulnerable IT infrastructure.
In December 2015, it was concluded by NAO that financial constraints within the NHS were endemic, and unsustainable.
“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks”, said Amyas Morse, head of the National Audit Office.
Positive outcomes following WannaCry
One silver lining of the WannaCry attack is that it forced the government to increase investment in NHS cyber security from that point on. It also highlighted the importance of understanding the risks around cyber-crime, particularly in such massive public institutions like the NHS.
Having said that, the understanding of cyber security - particularly ransomware - by senior UK public sector employees still leaves a lot to be desired. Cyber security firm Sophos recently carried out a survey that worryingly showed 55% of public sector IT leaders hold the unfounded belief that the digital data their organisation holds isn’t as valuable as that held in the private sector. The research also showed that 36% of IT leaders say the biggest challenge to their IT security lies in recruiting skilled frontline professionals amid a skills shortage. Despite this, only 14% of those surveyed said they were actually concerned about this shortage. Perhaps better communication around this subject is needed.
IT technology moves on fast, and the NHS is willing to embrace it wherever possible - but it needs to be swift about it. Cloud computing, Artificial Intelligence and more connected devices all serve a crucial purpose, but along with them comes further risk of more WannaCry-style attacks in future.
This article was brought to you by Tax Cloud
Tax Cloud is the easiest, most convenient way for companies in the UK to make a fully-optimised, watertight R&D Tax Credits claim. So why not partner with us?
Developed by the R&D tax relief experts at Myriad Associates, you know that every claim is completely error-free. Our team will also support you every step of the way in making claims on behalf of your clients to get them the R&D tax award they deserve. And with average R&D tax relief claims in the UK topping £55,000, your clients will love you for it.
If your accountancy firm is looking to expand its range of services without breaking the bank, try the Tax Cloud demo to see it in action. You can also call us on 020 7360 4437 or drop us a message.
You might also be interested in
