News Pictured: Guy’s Hospital, near London Bridge. While not directly hit by Wannacry, on advice its community staff shut devices to prevent infection; and patients were diverted from other places Photo by Mark Rowe More details Further plans from Holyrood for the Scottish private and charity sectors are promised. Visit www.gov.scot/ cyberresilience. For more from the NCSC, such as a ‘Small Business Guide’, visit www.ncsc.gov.uk. For the National Audit Office’s 52-page report on Wannacry and the NHS, visit www.nao.gov.uk. Steve Gardner of OCS after wannacry hit: SCOTS HAVE A PLAN Scotland’s public bodies should work towards becoming exemplars in cyber resilience. So says a Scottish Government ‘action plan’ that sets out how Holyrood, Scottish public bodies and partners will take to further cyber resilience. The 50-page document admits that the Wannacry attack ‘had an impact on some areas of the NHS in Scotland’, and ‘underlined the potential seriousness of the cyber threat’. On what to actually do, the document does not go into specifics, for instance calling for ‘coherent action’. It airs common security ideas; ‘in time, cyber resilience should be ‘baked into’ Scottish public sector processes and infrastructure’. It emphasises cyber resilience is ‘as much a cultural issue as a technical one’. Generally the Scots fall into line with what the UK overall is doing, such as ‘active defence’, and the CISP (Cyber Security Information Sharing Partnership) run by the London-based NCSC (National Cyber Security Centre). p Among the speakers ... Richard Bond, Senior Consultant, in the Resilience, Security and Risk arm of Arup (featured page 41) is among speakers at a London First breakfast briefing on ‘designing cities for a safe future’ on January 30; as are Chris Stephens, Security Advisor, Crossrail; Carolyn Dunlop, Risk Director, Debenhams, and chair of the Crowded Spaces Industry Exchange; and former British Army officer now crisis consultant John Deverell ... Jitender Arora, Head of Operational Risk and Security Executive, Coventry Building Society spoke at a recent BSI information resilience conference in Manchester ... Ian Mansfield of VSG and Steve Gardner, Head of Security for OCS spoke to facilities managers at a UBM-hosted evening briefing on terrorism. p BP renews: BOSS, the British Oil Security Syndicate, reports that BP Oil UK has renewed its longstanding membership for 2018. Covering BP’s company-owned 320 UK forecourts, retailers get access to BOSS Payment Watch, for ‘no means of payment’ recovery, if drivers claim they are not carrying money to pay for fuel. p VERDICT: ‘NHS NEED TO GET THEIR ACT TOGETHER’ The Department of Health (DoH) was warned about the risks of cyber attacks on the NHS, a year before the WannaCry virus hit hospitals so badly that it had to cancel thousands of appointments; and five NHS trusts, in London, Essex, Hertfordshire, Hampshire and Cumbria, had to divert patients to other accident and emergency departments. Of 236 trusts in total, 37 were infected and locked out of devices, according to a National Audit Office (NAO) report. Separately, as featured in the August issue of Professional Security, NHS institutions will still be using unsupported IT systems for months, the Government has admitted. They were told in 2014 The DoH and Cabinet Office wrote to trusts in 2014, saying it was essential they had ‘robust plans’ to migrate away from old software, such as Windows XP by April 2015. In March and April 2017, NHS Digital had issued critical alerts warning hospitals to patch their systems. However, before Friday, May <strong>12</strong>, CYBER, A TEAM SPORT Cyber risk to the UK continues to rise in severity and impact, according to an audit firm. But nearly one in five (17pc) admit they don’t prepare or drill for cyber attacks, and a bare half (49pc) conduct penetration tests, according to the PwC survey. New forms of attack require new ways of working, said Richard Horne, cyber security partner at PwC: “Cyber security needs to be viewed as a ‘team sport’ rather than just an issue for the IT team. To be most effective, everyone in an organisation should be considering the security implications of their actions.” p the day that the malware hit the world, the Department had no formal mechanism for assessing whether local NHS bodies had complied with their advice and if they were prepared for a cyber attack. Amyas Morse, head of the NAO, said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.” What it did The cyber attack could have caused more disruption but for a researcher activating a ‘kill-switch’, the report points out. The attack led to disruption in at least 34pc of trusts in England although the DoH and NHS England could not tell the NAO the full extent of the disruption. As the NHS had not rehearsed for a national cyber attack it was not clear who should lead response. And as for crisis comms, NHS Improvement did communicate with trusts’ chief executives ... by telephone. p Fraud billions Fraud against the private sector costs the UK £140 billion a year, and public sector an estimated £40.4 billion in 2017. That’s according to a study by accountancy firm Crowe Clark Whitehill, credit checking agency Experian and the Centre for Counter Fraud Studies at Portsmouth University. Jim Gee, head of forensics and counter fraud at the accountants, said: “The cost of fraud is clear – not just the proportion which is detected, nor a guestimate but accurate information about the total cost to UK plc, just like any other business cost. And that cost is £190 billion.” p 34 DECEMBER 2017 PROFESSIONAL SECURITY www.professionalsecurity.co.uk p34 News 27-<strong>12</strong>.indd 1 18/11/2017 14:43
Vista Qulu 3.0 Advert June 2017.indd 1 23/10/2017 11:20