You could not fail to miss the coverage of the worldwide ransomware attack over the weekend which particularly affected the NHS.
The scale of the attack, and its impact on public services, is unprecedented. However, similar attacks happen on a daily basis and third sector organisations must protect themselves from risks of operating in the digital world.
The latest UK Government Cyber Security Breaches Survey reveals nearly seven in ten large organisations have had a breach or attack. The average cost to large organisations was around £20,000, although in some cases this reached into millions.
The most common attacks are the result of fraudulent emails, coaxing staff into revealing passwords or financial information, or opening dangerous attachments. The ransomware attack over the weekend was particularly damaging as it didn’t just infect the original user, who may have opened a dangerous attachment; it was able to seek out and infect other computers on the network that had the same vulnerability.
The vast majority of these attacks are not targeted, they are random and third sector organisations are equally at risk. In September, a ransomware attack on Comic Relief took their systems down for three days.Only a few days before the NHS attack, the Queen’s Nursing Institute in England reported disruption as a result of an attack on one of their servers.
What should we do now to protect ourselves?
Follow the advice of the National Cyber Security Centre to reduce the risks to your organisation by:
- Keeping your organisation’s software patches up to date
- Using proper antivirus software services
- Most importantly for ransomware, backing up the data that matters to you, because you can’t be held to ransom for data you hold somewhere else. It is recommended you back up to multiple locations, including encrypted online (cloud) services for maximum protection.
If you have any systems that are still running Windows XP, you must immediately install this patch from Microsoft and upgrade to a more modern operating system as soon as possible.
Given the heightened awareness of the risk, it is worth reminding all users of your computer networks to be wary of opening attachments or links in emails, particularly from strangers or where the language and style used seems unusual.
What should we do in the longer term?
Cyber attacks are as great a risk as other forms of crime. Therefore third sector organisations should:
- Ensure your information security and cyber threats are included on your risk register and monitored at Board level. Trustees should be asking: Do you we have adequate controls to defend against cyber attacks? Are we confident in our ability to recover quickly should the worst happen?
- Consider providing regular training for staff on basic digital skills, information security and data protection.
- Consider external accreditation, such as Cyber Essentials, to assess your defence against cyber threats.
Getting ready now will also help prepare you for the forthcoming EU General Data Protection Regulation coming in to force in May 2018. This places more responsibility on organisations to protect data or risk hefty fines. It also provides greater protection of people’s rights, as well as an opportunity to create greater trust and transparency around how organisations use personal data. Book now to attend SCVO’s Data Protection Conference on 21 September 2017.
Continue to stay safe online.
— SCVO Digital (@digiscot) March 8, 2017
Should you need further suppot, SCVO provides a range of IT services to our members, including advice and fully managed IT support.