In August 2022 the NHS suffered another Cyber Attack, this time caused by one of its IT Suppliers. What have we got to learn from this?
Cyber Attacks on Large organisations is nothing new, it feels like there’s several new breaches publicised in the media every week at the moment. What was different about this particular attack on the NHS was how the attack happened… It was actually the systems on a major IT Supplier that were compromised and that’s what caused the NHS Services to be affected. That’s something I feel we can all learn from.
You see, all competent leaders are aware they ‘should’ be taking steps to protect their organisations from Cyber Attacks, but I find on the whole this is a very one dimensional thought process, it’s all about what you can do to protect your own systems, rather than what risks 3rd party suppliers present to you…
Slightly more mature information security processes will send out ‘Supplier Questionnaires’ to ask what key suppliers have in place (I’ve just had to fill one out myself for a new client I’m about to work it), they ask if people have specific controls or security standards in pace like Cyber Essentials, ISO27001 or Cyber Assured… but how many people actually then go and audit whether some of those key controls are actually in place. I know from my experience of auditing a wide range of organisations that what people think and say they have in place versus the reality can be quite different.
What Lessons can we learn from this?
For me, the lessons we should be learning and the questions we should be asking ourselves following this Cyber Attack are as follows:
- Understand which third parties have access to our IT systems or data
- Understand what measures are THEY are taking to protect us
- Are we happy with what they have put in place, does that meet our own standards?
- How often should we review the protections they have in place for us?
- Should we be conducting our own audit of what they say they have in place?
- What is our contingency plan should one of our key suppliers suffer a cyber incident, how do we isolate our systems from theirs?
- What would be the impact on our business if they cannot operate?
“
Good Cyber Security is not just looking at what you have in place, it’s looking at how others also help to keep you safe
Most organisations will have one or more external suppliers that have access to their I.T. systems or data, it might be an outsourced I.T. provider, an accountant or book keeper, a key software provider. If you are serious about the security of your organisation you should be looking at the security those external suppliers have in place too. If your I.T. provider get’s hacked, how easy would it then be for the cyber criminals to get in to or compromise your systems?
Related Articles
What is Cyber Essentials?
Cyber Essentials is the minimum standard the UK Government recommends all organisations meet, how do you measure up against is?