CS1705
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
privacy under siege<br />
passwords and to be generally cautious<br />
when sharing information online."<br />
HEATH WARNING<br />
All of which would have been excellent<br />
advice for the many NHS Trusts across the<br />
UK whose systems were so badly hacked<br />
recently (see also page 5).<br />
In light of the WannaCry ransomware<br />
cyber-attack - which hit more than 150<br />
countries in total - a new report from<br />
SolarWinds MSP highlights what it<br />
describes as businesses' over-confidence in<br />
their cybersecurity defences. The report<br />
reveals that 87% of UK and US businesses<br />
consider their cybersecurity readiness<br />
as robust, despite 71% having reported<br />
breaches within the last 12 months. Some<br />
77% of UK and US businesses also revealed<br />
that they had suffered a tangible loss<br />
as a result, such as monetary impact,<br />
operational downtime, legal actions or<br />
the loss of a customer or partner.<br />
While Microsoft was quick to announce<br />
a new software update to overcome the<br />
WannaCry attack, the SolarWinds MSP<br />
report shows that, by contrast, businesses<br />
are somewhat complacent when it comes<br />
to cybersecurity procedures, including in<br />
their response to a breach. In fact, for UK<br />
businesses, states the company:<br />
Only 43% of businesses implemented<br />
new security technology following a<br />
breach<br />
Only 29% enforce and audit security<br />
policies. The rest either only do so<br />
occasionally or without controls - or<br />
not at all<br />
Only 13% consider user training as a<br />
priority, with the rest reinforcing this<br />
at best once a year<br />
23% have no mechanism in place for<br />
reporting vulnerabilities.<br />
SolarWinds MSP has also calculated<br />
that, based on the number of personally<br />
identifiable information typically held by<br />
SMBs and enterprises, the typical cost of a<br />
single data breach to a UK SMB is £59,000<br />
and £724,000 to enterprises.<br />
PATCHING SYSTEMS<br />
While it's been universally acknowledged<br />
that there's very little hospitals can really<br />
do to prevent ransomware and other<br />
cyberattacks outright - due to user error<br />
and susceptibility to phishing attacks -<br />
there's been much conversation around<br />
mitigating these types of attacks by<br />
patching systems. "Patch early and patch<br />
often is good advice," comments Imprivata,<br />
"and should always be observed.” But adds<br />
the caveat that, when it comes to these<br />
types of cyberattacks, patching alone<br />
doesn't stop the problem. “It only stops<br />
the propagation of the malware."<br />
Why? Because the real source of the<br />
problem isn't the systems; it's the users<br />
who initially downloaded them onto their<br />
computers, it states. So, if you have to<br />
make the assumption that your systems<br />
are going to get compromised, how do<br />
you build resiliency around your users?<br />
How, as a healthcare industry, do we focus<br />
beyond keeping the bad guys out, to<br />
keeping our systems running?<br />
"First, and as part of a best-practices<br />
systems hardening approach, we've got to<br />
manage user-system privileges," advises<br />
Imprivata. "The majority of users in clinical<br />
settings have full admin rights to their<br />
systems. In many cases, admin access is<br />
necessary in order for users to access<br />
legacy applications. But, if a user can't<br />
control software or run software that's not<br />
vetted by IT, why should they have admin<br />
level privileges? It's too easy for a user in<br />
a rush to click on a link and download<br />
malware hidden in an attachment."<br />
The company says that it has learned<br />
from interactuion with its customers that<br />
anywhere from 8-28% of users will click on<br />
a malicious link in their email. "Phishing<br />
exercises and other methods of user<br />
education can be helpful tools to prevent<br />
user error, but to truly manage user<br />
vulnerability, hospital IT teams should<br />
adhere to the principle of least privilege,"<br />
Imprivata cautions. "Take steps to limit<br />
admin rights or, at the very least, ensure<br />
that machines with admin access can be<br />
locked down or quarantined immediately,<br />
in the event of a cyber incident."<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
07