John Keaney on the Importance of Cybersecurity Resilience
Over two weeks on since news broke that the HSE’s IT systems suffered a cyberattack, the organisation is still in the thick of it, battling to restore IT services and get health services back up and running.
Much has been written on the preparedness, or not, of our health service and wider Government Departments and agencies for such attacks. The temptation is to criticise Government for not having a sufficiently robust system and framework in place. This may prove to be justified but, before we start finger pointing, we need a balanced view of the issue and its broader context.
What has happened to the HSE is far, unfortunately, from unique. In May 2017, the WannaCry ransomware attack spread rapidly across the world. The UK’s NHS hospitals were one of the biggest organisations impacted by the attack. Many of the same issues our HSE now faces occurred across NHS Trusts too, with computers, MRI scanners and theatre equipment exposed. Like Ireland, some NHS hospitals were forced to turn away non-critical emergencies. New Zealand’s health services this week is also struggling with a cyberattack. There, an attack on Tuesday brought the Waikato District Health Board’s (serving a population of half a million) entire IT network down, affecting testing laboratories, cancer treatments, email and phone services.
It’s not just public bodies that are exposed. In April, the story broke that Facebook data relating to 533 million users had been scraped with much individual personal data later published online.
The circumstances though different to those facing the HSE have at least one similar outcome – the risk of individual personal data appearing online. It’s more than coincidence too that as hacks have increased over recent months and personal data becoming more accessible as a result, the number of phishing scams have become ubiquitous.
Working from home has also increased user’s vulnerability. In the scramble to keep businesses up and running, the standards of security applied in the office may not have transferred to the home in all cases.
Whether home, office or elsewhere, cyberattacks are growing and most amongst us have been targeted in some way by cyber criminals.
This last point brings us to the nub of the problem, cybersecurity is not the sole responsibility of one agency, one department, one business or one individual, it’s a universal issue. Few in the public or private sector, upon hearing of the HSE attack didn’t think for a moment that on another day it could have been them or their business.
The only positive is that the seriousness of cybersecurity has now been elevated in the public mind. We have all now got a greater understanding of the implications arising from such attacks and how it can threaten something as fundamental as our health services.
Awareness is the first step but educating and arming ourselves as the best method of defence are the next.
Jeremy Fleming, Director of the Government Communications Headquarters, a leading U.K intelligence and security agency outlined what is required when recently commenting: “…cybersecurity is an increasingly strategic issue that needs a whole of nation approach if we are to continue to reap the benefits of technology”.
This ‘whole of nation’ approach is where Ireland now needs to go. We need a national focus at all levels and sectors to enhance our defences. This won’t be possible unless we are prepared to invest in and resource it fully. The accusation of underinvestment in our national approach to cyberthreats has been the most vocal criticism this week.
Comparisons are always precarious but looking at the UK finds a stark contrast in investment between both countries. Its’ National Cybersecurity Centre has a 5-year budget of €2.2 billion and employs 1,000 people. Excluding pay, investment in Ireland’s National Cybersecurity Centre from 2017 to 2021 inclusive is €12.45 M, with a staff of about 25 people. Crucially too, it has no Director in situ currently. The salary for this role, €89,000, is unlikely to attract a candidate of sufficient calibre. Population-wise Ireland and the UK are very different sized countries but, considering, the presence of global tech giants in Ireland means we store about 30% of all European data, then the differences between the two countries are not so large.
We also need a whole of life education mindset. With cyberattacks, in most cases it’s an end user or individual who lets the hacker in and sets off the chain of events. This makes basic cyber hygiene now an important life skill and digital and cyber literacy a non-negotiable business requirement. To embed this culture, we need national leadership and our Cybersecurity Centre’s role will be pivotal.
Initiatives needed include public and business information campaigns on cyber risks or publicly available, free to use cybersafe tools for businesses which encourage a minimum baseline security for smaller SMEs, unable to afford more expensive commercial services.
The UK’s Early Warning tool, a cyber-threat warning service offered to all UK businesses and designed to give customised timely notifications about possible incidents and security issues to businesses who sign up to the service is a further example.
Businesses too can play their part by opting to work with companies who can show adherence to cybersecurity standards.
Cybersecurity resilience is critical. This includes a sufficient pipeline of qualified cybersecurity experts, created via standardised education and training programmes at our higher and further education institutions.
A UK study found cyber security skills in the labour market there were poor. 54% of businesses lacked the skills to carry out one or more basic cybersecurity tasks such as creating back-ups or arranging automatic software updates. While only 11% employed someone with cybersecurity responsibilities as some part of their role.
It’s unlikely Ireland would fare much better. Again, the National Cybersecurity Centre can play a key role in ensuring the requisite skills exist.
Cybercriminals are sophisticated, unmerciful and very attuned to any vulnerabilities, it is very unfortunate that our health service fell foul of their dispassionate mentality.
However, what matters most now is how our health service responds to protect its IT services from repeat attacks and that the learnings are carried forward to create greater resilience to such attacks into the future.