FEATURE : SOFTWARE to budgetary pressure , but often due to the critical nature of those legacy systems . When we consider that some activities are so critical that organisations are reluctant to invoke the downtime required to implement patches , it is no surprise that organisations are hesitant to upgrade or replace legacy systems . This makes the job of maintaining a good security posture extremely difficult . You only need to look back at WannaCry to see the implications of compromised legacy systems . The 2017 ransomware attack gained access through an unpatched Windows 7 operating system that could easily have been patched before it was exploited .
Third-party threats
There are a number of steps businesses can take to build better cyber-resilience . For critical industries , such as healthcare , it is even more important to take a defence-in-depth approach to security that will enable business operations to remain up and running even in the face of a live cyberattack . However , as in the case of the attack that impacted the NHS 111 service , sometimes looking internally can only take you so far . Organisations are increasingly taking an ecosystem approach to security , thinking about the problem in terms of third-party risk management .
According to the DCMS , two in five businesses use a managed IT provider , but only 13 % of those companies review the security risks posed by their third-party suppliers . In this instance , it was Advanced – a firm that provides digital services for the NHS – that suffered the attack and enabled cybercriminals to impact its operations . Its Adastra software – which was one of the programmes affected by the attack – runs 85 % of the NHS 111 services . sufficient steps to protect itself from cyberthreats and left itself open to risk .
The healthcare industry is particularly at risk of cyberattack due to its critical nature , making it a target for threat actors looking to cause disruption . The
breadth of its work means it ’ s common for businesses in the sector to work with third parties . Therefore , third-party security needs to be combined with internal processes to quarantine and limit the impact of a cyberattack with a view to identifying the compromise , mapping the route that it found into the organisation and remediating the issue . Only then will healthcare companies be able to return to business as usual as fast as possible and minimise the impact of an attack . p
Dominic Trott , UK Head of Strategy at Orange Cyberdefense
Fortunately , it seems that Advanced takes a proactive approach to cyber-resilience as it stated that the issue had been contained to a limited number of servers , which suggests that it successfully quarantined the threat through techniques such as network segmentation . As part of a broader approach to cybersecurity that includes techniques to prevent and avoid attacks , continue business as usual and constrain further damage – as per the NIST Cyber- Resiliency Engineering Framework – this will have helped Advanced withstand the attack .
From the NHS ’ point of view , this incident proves the vital importance of understanding third-party risk and taking steps to ensure that a consistently compliant and resilient approach to security is adopted by all of its suppliers . If an organisation is dependent on third parties but only looks to ensure cybersecurity internally , then it has failed to take
www . intelligentcio . com INTELLIGENTCIO EUROPE 57