Assessing risk: a response to the Global WannaCry Ransomware Attack

May 17, 2017
The recent ransomware attack on the NHS and companies across the globe has brought cybercrime to the top of the risk and news agenda.

More than 50 hospitals, doctors, surgeries and pharmacies were hit by the Wannacry attack on Friday 12 May. The computer virus targets older software, such as Windows XP.

Elsewhere, more than 29,000 institutions were hit in China in what many are calling a cyber-attack wake-up call. Nissan Sunderland, German rail network Deutsche Bahn and US delivery giant FedEx are among 200,000 companies in 150 countries known to have been affected.

It is estimated that more than £30k has been paid out in ransoms so far, with operations at some Trusts and GP surgeries still affected.

Risk anaylsis

“The NHS is unusual because it has so few people with the skills to fundamentally understand risk across the enterprise. While the NHS in England employs 1,300,000 workers, it has just 27 partially/fully trained and experienced enterprise risk managers,” said Patrick Keady, Institute of Risk Management (IRM) board member and chair of the IRM Health & Care Sector Interest Group.

“At the same time, it is reassuring that most of the NHS organisations affected by Wanna Decryptor say they have plans in place to react to the impact of the malware.

“However, we have known for years that increasing amounts of IT software and hardware used in the NHS are simply out-of-date and no longer supported by their manufacturers. NHS bosses really do need to take major steps now, to prevent similar episodes and the accompanying disruption to patient services.”

Mr Keady undertook research into current risk registers of the 34 NHS Trusts and Clinical Commissioning Groups reported to have been affected by the cyber-attack.

In his view, this research found that 34 NHS Board papers are over-crowded with information – with one set of Board papers exceeding 400 pages.

Key findings:

  • 10 organisations publish Risk Registers online.
  • 13 publish Board Assurance Frameworks online (this requirement was introduced by New Labour circa 2004).
  • Nine do not publish risk registers or board assurance frameworks online.
  • Mid-Essex Hospital Services NHS Trust was the only Trust to mention Cyber-Security in their Board Assurance Framework. (Page 20, risk number 949).
Cyber risk

A 2016 survey of IRM members showed that cyber risk, including data breach, hacking, theft of IP, cyber fraud and commercial sabotage was one of their most pressing concerns.

“We live in an increasingly networked world, from personal banking to government infrastructure. Protecting those networks is no longer optional – the internet of things means enterprise wide risk management, including cyber security policy, has never been more important,” said Nicola Crawford, CFIRM, Chair of the IRM.

“Cyber risk is now firmly at the top of the business agenda globally as high-profile breaches raise fears that hack attacks and other security failures could endanger the global economy. Ransomware and data breach can have catastrophic consequences including loss of life”.


Alexander Larsen, CFIRM, President of Baldwin Consulting and IRM expert on cyber said: “The speed at which this virus has affected companies around the world shows the impact these hackers can have. Patient’s records may be at risk of being leaked, operations have had to be rescheduled, ultimately putting lives at risk.

“Going forward we can only expect hackers to become more organised and well-funded, which, alongside advances in AI and technology, will lead to more sophistication in their attacks. Some organisations are already spending hundreds of millions of pounds on cyber security, while governments are spending billions in order to prevent these attacks. But experts warn that it is impossible to stop these attacks and that organisation’s should also be focusing on business continuity and recovery while also safeguarding their reputation, which could be severely damaged if the incident is not managed correctly”.

SOURCE: The Institute of Risk Management




Comments are closed.

© 2019