NHS Cyber Attack: Blame the Managers not the Hackers

So…it all started when I advised about an NHS Cyber Attack back in 2013, (which was ignored) and despite many warnings and proposed plans, this advice was brushed aside, favouring conformance over performance and good governance. Instead, the careful management of I.T risks has turned into a catalog of errors, full of obfuscations, smokescreens and to be honest, Senior Management don’t really understand therefore, don’t want to know.

On the 12th May it actually happened! The NHS Cyber Attack I have long predicted, waffled on about and talked about in great detail during my many talks around the country. ..noless than 48 NHS Trusts were hit by a unprecedented Cyber Attack in the UK.

While many make political capital out of it, we have to remember that the first victims of this crime is the tireless Doctors and Nurses who will undoubtly be taking the full brunt of this as the face of the NHS.  As the very people on the ground, they are the ones faced with systems that are inaccessible and therefore cannot access important medical history, booking systems or procedures, all of which are essential in the smooth running of our NHS.

But sadly this is not the end, it’s not even the beginning of the end, but it is perhaps, the end of the beginning of a wave of attacks on our Nation’s assets and infrastructure. My talk and simulation of a Cyber Attack on our National Grid that I gave to the Institute of Engineering and Technology gave some stark examples of what is likely to happen if we don’t get a grip of it.

Amber Rudd UK Home Secretary said “The NHS  must learn from Friday’s cyber-attack and upgrade its IT systems.” But what/who is the cause of this attack, are the Hackers entirely to blame? Are the NHS in anyway responsible? What where the CQC doing before this? They have a duty to check that cyber penetration checks have been performed in NHS Trusts on a regular basis.

The UK Government is already investing £1.9bn into the National Cyber Security Center (between 2015-2020) so surely with this invested advice and support available, in order to protect themselves, could the problem not be the Government or it’s funding but rather perhaps with the Boards execution of managing risk in organisations? You can only take a horse to water but you can’t make it drink.

I’d rather not single out the NHS, they are a great institution and have a number of great people who look after our sick and elderly with continuous care, and do it in such a way that make the UK envied for our public health system.

What I’m talking about is a UK culture problem on the Boards of UK organisations.  I feel that many Boards lack the skill or experience of managing cyber risks, many give little importance to securing information securely. In my opinion It’s the middle and top management that are the problem, many are outside their comfort zone and don’t really know what they are doing.

For example:

  • Many don’t really understand I.T, many feel it’s run by “geeks” and find them difficult to understand or relate to.
  • Many don’t see Cyber as a REAL risk to their organisation, mainly because they don’t understand how their organisation interacts with technology and properly understand the strategic risks that come with it.
  • When a crisis happens, many bury their “head in the sand” and hope it goes away, and hope to pass the blame to the I.T department who “should have protected us better”

Only a few days ago, the Information Commissioner’s Office (ICO) slapped a cold-calling firm with a record fine of £400,000 for making almost 100 million nuisance calls, so why are we not prosecuting directors of NHS Trusts for failure to protect the public against cyber threats?

I find it strange that many companies prioritise skills like financial qualifications as a prerequisite for Directorship, along with the usual experiences required, but don’t seem to value I.T savvy Directors who could also make or break the organisation if a crisis were to happen.

Instead, the focus appears to still be supporting the “old guard” falsely regarded as a safe pair of hands, favoured for their “fat” CV’s that are full of top Brand names and stop new people with the relevant skills and experience (to help mitigate things like Cyber Risks) coming through, ultimately creating a “Boys club culture” that exists to protect the few rather than the many.

I do hope that someday shareholders/stakeholders of such esteemed Boards vote with their feet and demand fair and balanced boards, with good governance derived from what people know and can do in this modern age.

Sadly, I’m also looking to watching pigs fly!