Draft27-12

News
Pictured: Guy’s Hospital,
near London Bridge.
While not directly hit by
Wannacry, on advice its
community staff shut
devices to prevent
infection; and patients
were diverted from
other places
Photo by Mark Rowe
More details
Further plans from
Holyrood for the Scottish
private and charity
sectors are promised.
Visit www.gov.scot/
cyberresilience. For more
from the NCSC, such as
a ‘Small Business Guide’,
visit www.ncsc.gov.uk.
For the National Audit
Office’s 52-page report on
Wannacry and the NHS,
visit www.nao.gov.uk.
Steve Gardner of OCS
after wannacry hit:
SCOTS HAVE A PLAN
Scotland’s public bodies should work
towards becoming exemplars in
cyber resilience. So says a Scottish
Government ‘action plan’ that sets out
how Holyrood, Scottish public bodies
and partners will take to further cyber
resilience. The 50-page document
admits that the Wannacry attack ‘had
an impact on some areas of the NHS
in Scotland’, and ‘underlined the
potential seriousness of the cyber
threat’. On what to actually do, the
document does not go into specifics,
for instance calling for ‘coherent
action’. It airs common security
ideas; ‘in time, cyber resilience
should be ‘baked into’ Scottish public
sector processes and infrastructure’.
It emphasises cyber resilience is ‘as
much a cultural issue as a technical
one’. Generally the Scots fall into line
with what the UK overall is doing,
such as ‘active defence’, and the CISP
(Cyber Security Information Sharing
Partnership) run by the London-based
NCSC (National Cyber Security
Centre). p
Among the speakers ...
Richard Bond, Senior Consultant,
in the Resilience, Security and Risk
arm of Arup (featured page 41) is
among speakers at a London First
breakfast briefing on ‘designing cities
for a safe future’ on January 30; as
are Chris Stephens, Security Advisor,
Crossrail; Carolyn Dunlop, Risk
Director, Debenhams, and chair of the
Crowded Spaces Industry Exchange;
and former British Army officer now
crisis consultant John Deverell ...
Jitender Arora, Head of Operational
Risk and Security Executive,
Coventry Building Society spoke at
a recent BSI information resilience
conference in Manchester ... Ian
Mansfield of VSG and Steve Gardner,
Head of Security for OCS spoke to
facilities managers at a UBM-hosted
evening briefing on terrorism. p
BP renews: BOSS, the British Oil
Security Syndicate, reports that BP
Oil UK has renewed its longstanding
membership for 2018. Covering BP’s
company-owned 320 UK forecourts,
retailers get access to BOSS Payment
Watch, for ‘no means of payment’
recovery, if drivers claim they are not
carrying money to pay for fuel. p
VERDICT: ‘NHS
NEED TO GET THEIR
ACT TOGETHER’
The Department of Health (DoH)
was warned about the risks of cyber
attacks on the NHS, a year before
the WannaCry virus hit hospitals so
badly that it had to cancel thousands
of appointments; and five NHS trusts,
in London, Essex, Hertfordshire,
Hampshire and Cumbria, had to
divert patients to other accident and
emergency departments. Of 236
trusts in total, 37 were infected and
locked out of devices, according
to a National Audit Office (NAO)
report. Separately, as featured in the
August issue of Professional Security,
NHS institutions will still be using
unsupported IT systems for months,
the Government has admitted.
They were told in 2014
The DoH and Cabinet Office wrote
to trusts in 2014, saying it was
essential they had ‘robust plans’ to
migrate away from old software, such
as Windows XP by April 2015. In
March and April 2017, NHS Digital
had issued critical alerts warning
hospitals to patch their systems.
However, before Friday, May 12,
CYBER, A TEAM SPORT
Cyber risk to the UK continues to
rise in severity and impact, according
to an audit firm. But nearly one in
five (17pc) admit they don’t prepare
or drill for cyber attacks, and a bare
half (49pc) conduct penetration tests,
according to the PwC survey. New
forms of attack require new ways of
working, said Richard Horne, cyber
security partner at PwC: “Cyber
security needs to be viewed as a
‘team sport’ rather than just an issue
for the IT team. To be most effective,
everyone in an organisation should be
considering the security implications
of their actions.” p
the day that the malware hit the
world, the Department had no formal
mechanism for assessing whether
local NHS bodies had complied with
their advice and if they were prepared
for a cyber attack. Amyas Morse, head
of the NAO, said: “The WannaCry
cyber attack had potentially serious
implications for the NHS and its
ability to provide care to patients. It
was a relatively unsophisticated attack
and could have been prevented by the
NHS following basic IT security best
practice. There are more sophisticated
cyber threats out there than WannaCry
so the Department and the NHS need
to get their act together to ensure the
NHS is better protected against future
attacks.”
What it did
The cyber attack could have caused
more disruption but for a researcher
activating a ‘kill-switch’, the report
points out. The attack led to disruption
in at least 34pc of trusts in England
although the DoH and NHS England
could not tell the NAO the full extent
of the disruption. As the NHS had not
rehearsed for a national cyber attack
it was not clear who should lead
response. And as for crisis comms,
NHS Improvement did communicate
with trusts’ chief executives ... by
telephone. p
Fraud billions
Fraud against the private sector
costs the UK £140 billion a year,
and public sector an estimated £40.4
billion in 2017. That’s according to
a study by accountancy firm Crowe
Clark Whitehill, credit checking
agency Experian and the Centre for
Counter Fraud Studies at Portsmouth
University. Jim Gee, head of forensics
and counter fraud at the accountants,
said: “The cost of fraud is clear – not
just the proportion which is detected,
nor a guestimate but accurate
information about the total cost to UK
plc, just like any other business cost.
And that cost is £190 billion.” p
34 DECEMBER 2017 PROFESSIONAL SECURITY www.professionalsecurity.co.uk
p34 News 27-12.indd 1 18/11/2017 14:43