What could have really been done about the NHS exploits? Does workplace culture prevent us keeping our systems secure?
Last year when popular ransomware WannaCry hit parts of the National Health Service (NHS) in the UK, techies everywhere rolled their eyes. At least 6,900 appointments were cancelled as a result of the threat, and yet the ransomware capitalised on a security flaw that had already been fixed. The root cause was that the local NHS organisations affected had not kept their computer systems up to date.
An overview of the security flaw:
• The vulnerability, titled ‘Eternal Blue’ was created by the National Security Association (NSA) in the USA for surveillance purposes, and gave unseen access to Microsoft Windows.
• The vulnerability was found and spread by a group called Shadow Brokers in April 2017.
• Another group utilised Eternal Blue to spread ransomware that encrypted users’ files and asked for a small cash sum to restore their data.
• By March 2017, Microsoft had patched the vulnerability and released an update.
At a top level, recommendations had been made within the NHS, but not implemented in the organisations lower down. Perhaps the recommendations could have been more effectively communicated and then checked? The truth is that nobody really knows the ins and outs of the situation, but we can use this as an opportunity to check our own organisations and learn.
A workplace culture that prioritises speed over long-term planning and secure development can be fine in the short-term, but is it worth the cost of possible security flaws and more difficult problems later down the line? It might be beneficial to implement a Get It Right First-Time policy.
Fear of breaking everything
When dealing with large and messy systems, especially when there is a lot hanging on the balance; the fear of breaking everything by updating is real. Despite this, there’s a lot that can be done in preparation. Individual systems will have established practices to minimise down-time, and making sure these are known and followed will help prevent anything going pear-shaped.
Nobody wants to be liable for something going wrong. It is important to implement a strategy to regularly update your software, ensure that nobody feels uncomfortable having to do it, and guarantee all your cybersecurity needs are met.