EY releases 6-step response to cyber-attacks following shock NHS hack

17 May 2017 Consultancy.uk 5 min. read

On Friday the 12th of May, the UK’s National Health Service was one of the most high-profile victims of a global cyber-attack, seeing Accident & Emergency among other key services crippled by WannaCry ransomware. The incident was the largest ever coordinated cyber-attack of its kind, impacting numerous organisations including several of the world’s most critical healthcare and telecommunications systems, across more than 100 countries. While further forecast attacks on Monday failed to materialise however, Big Four professional services firm EY have warned that this will not be the last time this happens unless measures are taken to learn from mistakes made this time.

In the fallout of the unprecedented WannaCry hack – which encrypted files on computers world-wide before demanding payment from users – UK-headquartered consulting giant EY issued a six-point plan organisations could use to protect themselves and reduce the impact of future ransomware attacks.

The firm – who published a report two years prior to this global incident entitled “Cyber-security and the Internet of Things”, prophesising cyber-attacks as “set to increase as hackers become more experienced and traditional tools to mitigate risks become less effective” – released a further warning after this latest episode. 

Stating that the risk of being attacked “increases exponentially when preventative measures are not taken”, along with an inability to plan a response for such an incident may well “be the difference between hours and days versus weeks and months of system compromise and outage.”

EY releases 6-step response to cyber-attacks following shock NHS hack

Six Step Solution

The six steps companies can take immediately range from common sense solutions to complex crisis planning, but the list begins with disconnecting infected machines from the network removing all backups offline to prevent them from being encrypted.

Companies should then activate their incident response plan – ensuring there is cross-functional representation in the investigation team, including legal, compliance, information security, business, public relations, human resources and other departments.

EY also used the opportunity to encourage preventative measures to organisations. Beginning by identifying and addressing vulnerabilities in a connected business chain, firms should then prioritise installing security updates, malware detection and anti-virus detection to complicate attackers’ efforts, while enhancing detection and response capabilities for future attacks.

Systems should also be patched before powering up PCs, while systems should be kept up to date with robust enterprise-level patches and the installation of a vulnerability management program – which should be continuously evaluated as risks evolve.

EY also stated businesses should activate continuity plans, preparing data based on varying requirements for regulatory reporting, insurance claim and dispute, litigation, threat intelligence and/or customer notification.

Finally, the consultancy used the list to call on companies to collect and preserve evidence in a forensically sound manner, conducive to investigation and reliable and usable in civil or regulatory matters.

EY Global Advisory’s Cyber-security Leader Paul van Kessel urged people to take immediate steps to keep critical systems and data safe, stating that “a cyber-criminal’s greatest ally is complacency. Whether you are a Fortune 500 company or a family-owned business, if you don’t take cyber-security seriously, you are at significant risk of being attacked.”

Paul van Kessel, Cyber-security Leader

Adding to the stark warning, David Remnitz, Leader of Global Forensic Technology and Discovery Services at EY’s Fraud Investigation and Dispute Service, commenting that even after malware outbreaks are fought off and normal service is resumed “companies sometimes face allegations that sensitive personnel-related or other business information had been compromised in the ransomware attack. Third parties and other stakeholders may require the company to demonstrate forensically that, even if the data was accessed, it was not stolen.”

UK government

The UK government meanwhile has come under increasing scrutiny for its approach to cyber-security, after it emerged the WannaCry ransomware made use of a known weakness in outdated Windows software. This follows reports made as early as December 2016, that 90% of NHS trusts still used the obsolete Windows XP, for which Microsoft had stopped providing security updates in April 2014.

Conservative Prime Minister Theresa May and NHS Digital stated they were not aware of any compromise in patient records resulting from the attack, however Home Secretary Amber Rudd later refused to confirm concretely if patient data had been backed up, in a statement confirming the NHS would finally upgrade its software in the wake of WannaCry.

Before the latest attack, 6% of internet users globally had already been personally affected by ransomware, while the online populace remains generally unprepared for such attacks; according to the recent 'Global Survey on Internet Security and Trust'. The research, conducted by global research company Ipsos, in partnership with the Global Commission on Internet Governance, recorded a startling 24% of respondents stating they would have “no idea” what to do in the event of being hit by ransomware. Unfortunately once programmes like WannaCry encrypt user data, it is extraordinarily difficult to retrieve without either paying the ransom or restoring the files from a backup, leaving preparation and prevention essential in the absence of a reliable cure.