"Information saves lives. Technology too. Which is good, as info and tech's what we do," mused NHS Digital on World Poetry Day last month. Just a few months earlier, names, date of births and insurance numbers of around 2,000 staff at University Hospital Southampton NHS Foundation Trust were compromised thanks to a debilitating cyber-attack.
It followed similar attacks on other NHS institutions like Guy’s and St Thomas’ NHS Foundation Trust and Royal Bournemouth Hospital. Perhaps, NHS Digital should have mentioned 'cyber security' instead of 'technology' while indulging in poetic exuberance.
Cyber heists on British companies and institutions have multiplied over the years. (There is a useful review of cybercrime here). Whilst it is encouraging that both businesses and state agencies are aware and worried about it, what's more worrying is that so far, they don't seem too confident about nipping the nuisance in the bud soon enough.
The British Chambers of Commerce recently claimed that as many as 20% of all British businesses were struck by cyber-attacks in the past year. The more worrying revelation in the report was that among businesses employing more than 100 staff, 42% were victims of cyber-attacks, which translates to just short of one out of every two large business. Yet another statement from Philip Hammond, the Chancellor of the Exchequer, revealed that government departments and employees witnessed as many as 200 cyber-attacks a day from Russian and Chinese hackers in the last six months, signifying the true extent of the threat.
“Over the last two years there has been a step change in Russian aggression in cyberspace. Part of that step change has been a series of attacks on political institutions, political parties, parliamentary organisations and that’s all very well evidenced by our international partners and widely accepted,” said Ciaran Martin, who heads the GCHQ's National Cyber Security Centre, to the Sunday Times.
How serious are British private enterprises about the threat?
The British Government is offering an ambitious and helpful 'Cyber Essentials' accreditation programme for enterprises. The programme aims to help companies strengthen their IT systems, implement the latest cyber security practices and effectively handle and protect customer data. To ensure more companies join the programme, the government has mandated that those without accreditation will not be able to bid for government contracts.
Despite the government's push and glowing recommendations from global institutes, only one in every four businesses have signed up for the accreditations programme, which emphasizes why cyber-attacks are here to stay.
The British Chambers of Commerce' report states that while 47% of large firms have signed up so far, only 10% of sole traders and 15% of firms employing one to four employees are now part of the programme.
What is the government doing about it?
As of now, businesses that store customer data and fail to protect them from cyber-attacks are liable to pay fines of up to £500,000 to the exchequer. Such companies will have to adhere to the General Data Protection Regulation (GDPR) from May 2018 whose rules are being tightened even as cyber-attacks are growing more destructive and powerful with the passage of time.
According to the Payment Card Industry Security Standards Council (PCI SSC), the fines which such companies will be liable to pay from May 2018 will be either 4% of their annual worldwide turnover or €20 million, whichever will be higher. As such, the total costs incurred by such firms because of their failure to protect customer data may go up to £122bn from a mere £1.4bn in 2015. The message behind the new regulations is for large firms to either pull up their socks or face impending financial ruin and loss of face.
Back in March, the National Cyber Security Centre and the National Crime Agency together published a report on the true impact of cyber-attacks on the British industry and how they can be countered in the future. The NCSC aims to turn Britain into the world's safest place to do business online, and for this to happen, it wants businesses to improve their cyber defences, employ cyber hygiene principles, spread awareness and treat all their confidential data as potential victims of cyber-attacks.
On its part, the NCSC is planning on working with industry partners on attribution and infrastructure mapping, receiving reports on cyber-attacks at the earliest, accessing the industry's threat intelligence and patching the most commonly exploited vulnerabilities in businesses' IT systems. It remains to be seen how effective the NCSC will be in the coming days in fighting the menace of cyber-crimes along with the industry, the government and law enforcement agencies.