12 October 2018

IRM Weekly Cybersecurity Roundup: NHS WannaCry Attack and more

Each week, IRM gathers up (what we think) are the most interesting and important reads from the cybersecurity industry. The weekly roundup will include good and bad examples of cybersecurity practice and thought pieces from across the globe – all summarised in one handy place for your regular news top-up.

WannaCry attack cost NHS £92 million

The cyber-attack which targeted computers across the NHS last May has been estimated to have cost the service around £92m. The figures, which have been revealed by the Department of Health and Social Care, are heightened by the estimated £72m spent on recovery two months after the attack.

The attack, which used ransoms and encrypted infected data, was described as “relatively unsophisticated” by the public accounts committee. The NHS has been warned about strengthening their cybersecurity for stronger future attacks.

You can read more here.

US weapons systems vulnerable to cyber-attack

“Nearly all” of the US weapon systems developed from 2012 to 2017 are vulnerable to cyber-attack, according to a report by the Government Accountability Office. During tests, systems were hacked with “relatively simple tools and techniques”, meaning hackers could take control of the systems.

In some cases, the report found that systems were still using the default passwords when the software was installed, creating considerable cyber concerns. The reason for the importance of the security of the systems is the level of connectivity they have to other systems in the US.

In response to the report, Pentagon spokesperson, Maj. Audricia Harris said: “We are continuously strengthening our defensive posture through network hardening, improved cybersecurity, and working with our international allies and partners and our defense Industrial Base and defense Critical Infrastructure partners to secure critical information.”

You can read the GAO’s full report here.

NATO to be operational in cyberspace by 2023

The North Atlantic Treaty Organization (NATO) has announced they expect full operational capability in terms of cybersecurity by 2023. Speaking at a cybersecurity forum, their assistant secretary general explained they had only started considering cyberspace as an operational domain in 2016. He added that cyber threats were a priority for NATO as part of their collective defence mission.

Whilst the statement shows progress for NATO, the secretary of state in the Polish Ministry of National Defence said that cyberspace as an operational domain introduced challenges, including member states having to “develop their own capabilities”. With nation state attacks becoming a genuine issue in the West, he added that “hybrid warfare is something we should all consider”.

You can read more here.

Building a cybersecurity culture is vital to stay in business

Organisations must adopt an effective cybersecurity culture to stay successful in business, says the Head of the University of Gloucestershire School of Business and Technology, Prof. Kamal Bechkoum.

With many organisations not taking cybercrime seriously, Bechkoum highlights that, in 2017, 18% of organisations didn’t even know how many cyber-attacks they suffered. This is an alarming fact at a time when data breaches are making headline news every week.

Bechkoum focuses on that fact that no organisation is “immune” from cyber-attacks. Businesses need to understand the impacts – whether it’s financial, reputational or legal. To build the best defence, organisations should invest in strategy-building and employee awareness/training, as well as technical tactics, such as firewalls and backing up data.

You can read more here.

Heathrow Airport fined £120,000 for USB data leak

Heathrow Airport has been fined £120,000 after a staff member lost a USB stick containing “sensitive personal data”. The memory stick, which was not encrypted or password-protected, was found by a member of the public and contained more than 1,000 files. The files included a training video that exposed the names, dates of birth and passport numbers of 10 people, and the personal data of up to 50 Heathrow aviation security personnel.

An investigation by the Information Commissioner’s Office has since found at that only 2% of the staff at Heathrow Airport had received data protection training. In addition, it was found that the practice of downloading data onto memory sticks was widespread.

You can read more here.

California bans default passwords

A new law in California will ban devices being sold in the state with default passwords after 2020. This is in a move to set a higher security standard for network-connected devices. Although the law is set to help the end-user understand more about the importance of strong passwords, the bill aims to challenge the poor default security in the vendors’ products to begin with.

It is hoped that the law will encourage vendors to make security their responsibility. Tech companies will have over a year to ensure their connected devices are compliant and there will be risk of customer lawsuits if manufactures ignore the rules of the new bill.

You can read more here.

China named World’s biggest state hacker 

China has overtaken Russia as the biggest state hacker in the World, driven by the country’s desire for commercial secrets. More than a third of attacks this year were targeting tech companies (specifically biotech), pharmaceutical, defence, mining and transport organisations.

It’s no surprise with the rising threat from China that the US has continued to build upon its cybersecurity strategy revealed last month. According to Fox News, the strategy designed by Trump’s administration involves being “engaged in a long-term strategic competition with China and Russia”, meaning we are likely to see cyber-warfare becoming a much bigger tactic in future years.

You can read the full article here.

Google ditches Google+ after a data glitch

According to The Wall Street Journal, Google has decided to stop the Google+ social media service after a ‘glitch’ exposed data of 500,000 users. Surprisingly, Google didn’t publicly disclose the breach for fear of being compared to the Cambridge Analytica Facebook breach.

Google+’s data breach exposed the full names, email addresses, occupation, gender and age of users. It is thought that the social media platform will be permanently shut down by August 2019.

You can read more here. 

If you’re working towards building a strong cybersecurity culture in your organisation and want to know how IRM can support you technically and strategically, get in touch.