Acumen Cyber and i-confidential respond to recent report that the ICO has placed a provisional fine of £6 million on Advanced Computer Software for a cyber attack that disrupted the NHS in 2022.
Brian Boyd, head of technical delivery at i-confidential, said:
“This is a huge fine that highlights the importance the ICO is placing on organisations adopting good cyber hygiene.
According to reports, Advanced Computer Software had no MFA enabled on some of the accounts that access their systems, which allowed criminals to easily break in using a stolen password. This is a major red flag. There are many places, critical accounts, critical applications, remote access, etc. where MFA is a must. Passwords are lost or stolen every day, so enabling MFA is one of the only ways to prevent criminals gaining access to networks through these credentials.
The incident was also another reminder of the dangers that can occur when the security of suppliers is weak. In this case, the attack impacted the NHS, which caused worrying disruptions to health care for UK citizens.
This is a situation that must be avoided. However, the recently announced Cyber Security and Resilience Bill has been designed to enhance supply chain security across critical industries, so it is clear the government is already actively working to combat these threats.”
Kevin Robertson, COO at Acumen Cyber, said:
“This was a massive cyber attack that shocked the UK in 2022.
The NHS wasn’t directly hit, but it suffered serious impacts from the attack, with patient data being stolen and emergency care lines suffering outages.
Given these consequences, it’s not surprising the ICO has set such a high provisional fine, but considering the NHS contract would have run into hundreds of millions, it won’t be much more than a slap on the wrist for Advanced Computer Software.
The fine also casts a spotlight on the vulnerability of the NHS, and how its operations can be impacted by cyber attacks on partners and suppliers. In the last few months, thousands of citizens across the UK have had medical procedures cancelled following the attack on Synnovis. With criminals seeing so much success from these assaults, they are set to continue, so any organisation that works with the NHS, or holds personal data, has a duty to keep it secure.
MFA should be adopted as a security minimum by all organisations. But that alone is not enough to protect against the advanced attacks we are seeing today.
In addition to the standard security controls, organisations today should also be implementing centralised logging, with alerting and correlation capabilities to detect threats across multiple attack vectors.”
For more cybersecurity news, click here
