As I sat down to write this month’s blog, news broke of a “significant” ransomware attack on the Republic of Ireland Health Service (HSE). In order to stop the attack the HSE had shut down its entire IT system.
Ransomware is a type of cyber attack that locks users out of computer systems, typically by encrypting the data so it becomes unreadable to the users and then demands for payment are made to restore the computer functionality.
It goes without saying that the ransom should never be paid as not only does it allow the cyber criminals to prosper from their crime, there is also little chance they will take the opportunity to change their ways, act honorably, and fulfill their side of the bargain by releasing the data from their encryption.
Ransomware will usually enter a system by a user clicking a link in an email or by visiting a fake website that has been made to look like a legitimate one.
Cyber criminals are getting smarter, they will target the weakest link in the entire IT security system, the user. Why attempt to hack a system when you can trick the user into holding the door open for you?
It is important that councils ensure they have adequate IT security systems in place and that those systems are tested regularly by IT experts. Also councils must keep up a regular program of training to maintain staff awareness of cyber threats.
But what would you do if the IT defenses failed? Would you be able to get back up and running quickly?
Let’s take a typical scenario for a ransomware attack, I have seen this happen in the real world, as well as being briefed on it a while ago by a “government department” which will remain nameless.
A user is tricked into downloading and running a malicious piece of software by opening a file that purports to be an invoice that is overdue for payment.
The software executes and quickly spreads throughout the network, files are encrypted by the software making them unreadable without the decryption key which supposedly only the cyber criminals have (they don’t, this is just a tactic to get you to make a payment).
Messages appear on all computers demanding payment by bitcoin within a brief period of time, also the warnings tell you that you should not turn off the computer or attempt to reboot it or your files will be permanently lost.
These warnings are designed to put you under pressure and get you to make a rushed decision, in fact, in all likelihood the damage is now done and from here on all you can do is mitigate the problem and attempt to recover.
So you should at the first sign of trouble do what the HSE have done, turn it off and call for expert help.
When the experts arrive they will normally be looking to recover some, if not all, of your data from the backups.
Now is not the time to discover that your backups either do not exist at all or are unreadable. Ask yourself this question right now, when was the last time you had your backup tested to make sure it was readable?
Loss of data like this falls within the scope of the sixth data protection principle, that data shall be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).’
Appropriate technical and organisational measures to ensure security against unauthorised access, accidental loss or destruction. So on top of a data loss and disruption to your council you now also have a data protection breach.
So now is the time to make sure that your technical measures work, your firewalls are in place, your computers are up to date and security patched, that your backups exist and are readable and also that your organisational measures are in place, you have a staff awareness program on cyber threat and there is training provided to all staff.
Make sure that it’s not after you have been hit by such an attack that you wish you had looked at your technical and organisational measures against cyber threat, because cyber threat is very real, just ask a doctor in Dublin, well don’t actually, she’s busy right now.