Get used to ransomware and outages, says infrastructure exec

Data-centric economy needs to think differently about threat management and compliance

Ransomware is here to stay and the UK’s Health Secretary Jeremy Hunt better get used to it. The recent WannaCry ransomware attacks played havoc with a number of UK hospital trusts prompting Hunt’s knees to jerk towards an idea, reported in the Financial Times, that hospitals should be rated on data security. With around 70,000 NHS devices still running Windows XP, the issue is surely more about funding than about individual hospital data management, however. Rating them is missing the point.

In the fast-growing data economy, the National Health Service, like any public body in any country, needs to have a centralised policy on how to keep data secure. Data has become a key element of infrastructure and as such needs investment and a plan to protect it. Using ratings as a threat to shame hospitals is not a policy.

Ransomware is not new, not even to the NHS. It’s been around for ages and in February, digital workspace company RES published a report saying that between 2015 and 2016, 88 NHS trusts had been attacked by ransomware. Lessons have clearly not been learned, whether it’s individuals not updating software patches or clicking on malicious emails or governments not taking the issue seriously enough.

Richard Agnew, who works as a vice president for software company Veeam in the UK and Europe, believes that organisations like the NHS, governments and even businesses have to start thinking differently to cope with the rapid rise in cybercriminal activity. Facing the problem head on, he says, by which he means just putting more security software in place, is just one step towards tackling the issue. Human error, software bugs and crashing hardware are not going to go away.

He points to recent service outages too at places such as Virgin Money, WhatsApp and British Airways and says these things are “always going to happen.” He’s right of course, so can we legislate for it?

“The biggest ones are usually human based, someone applies a wrong patch, someone turns something off when they shouldn’t have, things go wrong,” says Agnew. “Like ransomware, you have to work on the assumption that it’s going to happen and look at how you can recover quickly from it. No, you can’t legislate for it.”

Agnew’s point of course is that if you have good data backup technology and policies in place, it lessens the impact of ransomware. If you know you have your data safe and that you can bring it back (through a series of tools which ensure the back-up is not infected) then ransomware becomes less effective as a means of extortion. That’s the theory anyway.

Agnew’s employer, Veeam, has a vested interest of course. It provides the software that manages data back-ups and the tools to test it and bring it back into a business. Does he have a point? Certainly the NHS could have done with a more robust policy on data security and storage but it wouldn’t necessarily have stopped the problem, but it would, says Agnew, “have made the recovery process less painful.”