NHS 11 attack: What we learned

Databarracks provides secure Disaster Recovery, Backup, and Business Continuity solutions in the UK. Chris Butler is the Head of Databarracks' Resilience and Continuity Consulting practice, a fellow of the Institute for Leadership and Management, a Member of the Business Continuity Institute, and a Certified Information Security Manager. Butler shares some lessons in resilience that can be learned from the recent cyber attack affecting NHS 111 services.

Lessons to learn from the NHS 11 attack:

Manual processes

A company that is responsible for thousands of ships and hundreds of thousands of tonnes of shipping cargo, had to resort to managing this fleet using paper and pencil.

Likewise, we've seen NHS 111 staff recently resort to pens and paper, following the cyber-attack on a critical system that has shut down many services.

Technology has made organizations more efficient by automating manual tasks. However, this has also meant we’ve lost a lot of the manual processes we used to revert to. Manual alternatives will always be less efficient and more expensive, but they can keep you operating. Including "pen and paper processes" in your business continuity plan doesn’t make you a Luddite, it makes you prepared.

Cyber resilience and incident response

Cyber resilience should be a given these days considering the NCSC advice that it's a question of when not if you are attacked. Having good response capabilities such as a SIEM and a SOC, good firewalls, IDS and IPS, cyber insurance, and incident response on call 24/7 should be the minimum expected.

But the response is only a small part of overall business resilience. Equally as important are, from a technical perspective, good, isolated backups of your mission and business-critical data, and the means to recover them in line with business requirements.

And, while the technical teams are looking at response and recovery, the business teams should be focusing on continuity measures, including those important manuals or reversionary measures. You can’t hack a pencil! Furthermore, you can be sure that your senior leadership team will be involved, so I hope that your crisis management procedures include executive cyber response considerations.

Given most firms are in the world of hybrid working, how would you get together the right people to respond to an attack like this? Have you exercised your Business Continuity Plan with a hybrid team? If not, now is the time.

Securing the supply chain

And finally, the NHS 111 attack wasn't directly targeting the NHS, but rather one of its critical software suppliers (Advanced).

Major attacks on technology providers like Kaseya and SolarWinds have highlighted how vulnerable organizations are to attacks on their digital supply chain. Technology companies provide cybercriminals an avenue into hundreds or even thousands of organizations from a single breach.

This incident did not just affect NHS 111 staff, but also services in all 4 home nations, the Welsh ambulance service, prescription services, and a care home management system.

Securing the supply chain is becoming increasingly vital. The NHS is better prepared than most for these kinds of incidents as it is governed by the Networks & Information Systems (NIS) Regulations.

The original 2018 NISD was incorporated into UK law by our own NIS Regulations. NIS2 aims to go further with more comprehensive measures for securing the supply chain when it is fully signed off by the EU. Post-Brexit, it’s unclear if/how the UK will adopt it but I am sure we will, somehow!

So, supply chain resilience very definitely needs to be top of mind. I'm still not convinced that many companies spend enough time assessing the true resilience of their critical suppliers and vendors, this means asking deeper, more searching questions, and completing a proper assessment of their resilience capabilities.

A resilient organization looks after its ecosystem and has strong partnerships in its network.