Barely a month passes in 2017 without some kind of IT failure hitting the headlines, but the hacks, leaks and breaches that make the news may represent just the tip of the iceberg.
An investigation by the i newspaper has revealed that public bodies such as hospitals, councils and museums have been breached more than 400 times over the last three years.
The real number may be higher still. More than half of NHS trusts and one in ten councils refused to answer questions put to them by the i’s team of reporters.
The motivations for such attacks are varied. Some hackers want to extort money and steal sensitive data. Others simply want to wreak havoc.
To casual observers, the threat may seem abstract – but cyber crime has a real world impact, a truth thrown into stark relief in May when the NHS faced its biggest hack yet. A gang of cyber criminals since linked to the North Korean government released a virus dubbed WannaCry into the wilds of the internet. It quickly found its way into the poorly protected systems of the NHS, encrypting files as it spread.
Fortunately, the proliferation of the ransomware, which demands victims pay a fee to have their files released, was stalled when a 22-year-old computer whizz known as Malware Tech found a killswitch that halted its spread.
However, considerable damage was done before the NHS’s IT teams had a chance to stop it. Doctors and nurses were forced to cancel thousands of operations and appointments as techies scrambled to get systems back online.
Public bodies such as the NHS are far from alone in being targeted by hackers. But the figures revealed by the i indicate that the public sector may be particularly vulnerable to the march of cyber crime. One hospital told the paper WannaCry was the price it paid “for a very long-term under-investment in IT infrastructure”.
It’s a sentiment echoed by the Charted Institute for IT, which concluded in a report last month that the WannaCry strike could have been averted if hospitals had spent more time skilling up staff.
“The [strike] was bound to happen, it was just a matter of when,” said David Evans, the institute’s director of policy. “Whilst doing the best with the limited resources available, it is clear that some hospital IT teams lacked access to trained, registered and accountable cyber-security professionals with the power to assure hospital boards that computer systems were fit for purpose.”
The threat of cyber crime is only going to increase as hackers develop ever more sophisticated methods of attack. The Register, an IT news site, reported last week that experts now fear hackers will create ransomware tailor-made for particular organisations.
Public bodies could become prime targets for such strikes, given the importance of the work they carry out, but too many remain poorly protected.
The creation of the National Cyber Security Centre (NCSC), a spin off from GCHQ, was welcomed by experts last year. But there is only so much the organisation can do to help public bodies without assuming complete control of their systems, an approach that is neither practical nor desirable.
The impetus for change must come from within, but cyber security is expensive. Even with the best will in the world, executives in the public sector are powerless to protect their organisations unless they have the money to do so.
Government needs to ensure NHS trusts and other bodies have the funds to adequately secure their systems. If custom-made ransomware takes off, WannaCry 2.0 could be far more destructive – and it may not have a killswitch.