In May 2019 a ransomware attack was carried out which resulted in the servers of the American city of Baltimore, Maryland being largely compromised by a new strain of ransomware called RobbinHood. Baltimore became the second U.S. city with a population of over 500,000 people to fall victim to ransomware in two years, after Atlanta was attacked the previous year.
In the UK the National Cyber Security Centre (NCSC) stated that it responded to 723 incidents in the period September 2019 to August 2020, 194 of which were Covid-related. Additionally it “thwarted 15,354 campaigns that had used coronavirus themes as a “lure” to fool people into clicking on a link or opening an attachment containing malicious software”.
Some of the incidents involved public authorities with one local authority being hit by a ransomware attack in which the hackers scrambled files and demanded money. This led to a number of council services, including payment systems, being paralysed and unavailable with some key services unavailable for a number of weeks. This required the authority to undertake a series of remedial actions, including the building of a new server and website, and mobilising a temporary call centre.
The costs of coping with an attack and restoring systems can be significant and it is reported that the Wannacry attack in 2017 cost the NHS around £92m.
Ransomware is a type of malicious software developed by those with criminal intent. If downloaded into IT systems, the software is programmed to lock a target’s computer or network, blocking access to important systems and data. The threat usually contained within ransomware attacks is that the locked information will be irrevocably damaged or destroyed if demands are not met within a prescribed timeframe.
This form of hack is a growing problem for large targets like public authorities and companies. Jeremy Fleming, Director at GCHQ states that “the world changed in 2020 and so did the balance of threats we are facing.”
Specific targets for this new wave of ransom attack are large public service providers such as universities, hospitals and police departments; organisations that have large incomes, but no scope for going off-line for days or weeks to invoke structured IT disaster recovery procedures.
However the major significance of ransomware attacks in the public sector is the immediate disruption caused to municipal services as residents may not be able to access important information, pay taxes, fees, or fines online, report potholes or make complaints via the organisation’s website. The financial consequences of a cyber-attack can be far greater than the ransom demand and for many organisations it can seem expedient to pay the hackers and quickly restore services, but the National Cyber Security Centre (NCSC) warns that this is fraught with pitfalls and a solution that should be avoided.
The NCSC outlines that “the establishment of predetermined security risk management structures, business processes, roles and requirements are too often separated from the normal decision making structures and processes used elsewhere in the business. This separation can lead to uncertainty, delays and confusion in the technology decision making process of the problems.” but that there is “no ‘one size fits all’ approach to governance that can work for every organisation.”
For this reason the NCSC, which offers a range of guidance specifically for public sector organisations, including ‘The 10 Steps to Cyber Security’, believe that “adopting security measures tailored to your situation, but which align with the 10 steps, will help protect your organisation from cyber-attack”.
However there is also a need for organisations to understand what they are protecting themselves against and to help with this the NCSC have produced a white paper entitled, ‘Common Cyber Attacks: Reducing The Impact’ which sets out what a common cyber-attack looks like and how attackers typically undertake them.
Events such as those detailed above serve as reminders of the importance of the need to actively risk assess cyber security threats, with robust control strategies implemented and maintained to protect our organisations from the continuing threat posed by the methods of modern-day criminality.
Research by the insurer Hiscox suggested that 55% of UK firms experienced a cyber-attack in 2019, up from 40% in the previous year. It also reported that average losses from breaches also soared from $229,000 to $369,000, an increase of 61% with the figure being potentially even higher in 2020, particularly with the pandemic seeing a significant increase in remote working and reliance on electronic data systems.
As a final sting in the tail there is a requirement under the General Data Protection Regulation 2018 for all UK companies, including Local Authorities, to report data breaches to the Information Commissioner’s Office (ICO) within 72 hours. Failure to do so can result not only in in heavy fines and penalties but also reputational damage while exposing the organisation to civil claims.