In May 2017, ransomware known as WannaCry affected computers in organizations around the world, encrypting data and demanding “ransoms” of between $300 and $600, payable in Bitcoin. WannaCry spread through organizations’ networks after unsuspecting users opened malicious attachments in phishing emails. The WannaCry attack caused one of the largest online disruptions in history, infecting over 230,000 computers in over 150 countries, hampering a wide variety of organizations such as the U.K. National Health Service (NHS), the Spanish telecom company Telefonica and the FedEx courier service in the U.S. For more background, please see our May 18 client alert on the cyberattack.
As a consequence of the major disruption caused by the WannaCry ransomware attack to the NHS, the U.K. National Audit Office (NAO) investigated the NHS’s response to the cyberattack and its impact on the U.K.’s health services. The report highlights the significant damage caused by the attack and the basic cybersecurity principles that were not observed.
NAO Report: Preventable, ‘Unsophisticated’ Attack Causes Significant Damage
WannaCry caused significant damage to the NHS and at least 34 percent of NHS Trusts (geographical sub-units of the NHS) experienced disruption. The report estimates that 19,000 appointments were canceled as a consequence of the attack, with five accident and emergency rooms having to divert ambulances and patients to other hospitals. Despite the significant disruption, the report nevertheless classified WannaCry as a “relatively unsophisticated attack that could have been prevented if basic IT security best practice had been followed.”
Significantly, all NHS organizations infected by WannaCry had unpatched or unsupported Windows operating systems that made them susceptible to the WannaCry ransomware. While no NHS Trust paid a “ransom,” many Trusts faced significant additional costs as a consequence of the attack, including paying overtime to IT staff, hiring additional IT consultants, and restoring data and systems affected by the attack.
Strikingly, the report highlighted that the Department of Health had informed all NHS Trusts in 2014 that it was essential to put “robust plans” in place to update old software. However, no formal mechanisms for assessing such compliance were implemented, and both the Department of Health and the NHS were unaware of the extent of its exposure to cyberattacks as a result of retaining outdated software.
Other shortcomings included the Department for Health’s failure to test its cyberattack response plan at a local level. This resulted in a leadership vacuum when it came to responding to the crisis in real time, which was aggravated by a lack of alternative lines of communication between NHS bodies. For example, many NHS supervisory bodies had shut down their devices as a precaution, which meant much of the response to the WannaCry attack had to be coordinated via messaging apps (e.g. WhatsApp) on NHS staff’s personal mobile devices.
NAO Report: An Ounce of Prevention …
The key takeaway of the report is applicable to all organizations: small, intelligent investments into cyberattack prevention and management can significantly reduce exposure to attacks which, in the medium to long term, means significant cost savings.
In light of the lessons learned from the WannaCry attack, businesses should:
- Develop an incident response plan setting out (1) key action steps in the event of a cyberattack and (2) the roles and responsibilities of key personnel and departments.
- Consider “road-testing” the incident response plan and response effectiveness at the macro and micro levels through drill scenarios.
- Ensure critical security alerts are implemented, including applying software patches, keeping anti-virus software up to date and managing firewalls.
- Implement appropriate mechanisms and backup systems to maintain essential lines of communication during an attack when systems are down.
- Ensure that senior management and staff take the cyber threat seriously, have received necessary training, understand the direct risks to business services and work proactively to maximize resilience and minimize business impact.