A ransomware attack on Lincolnshire County Council last week forced the council to shut down its systems, leaving its employees with nothing but pens and paper.
The ransomware, which is a piece of malware that encrypts all the data on the affected device and then holds it ransom for a sum of money (usually a bitcoin), has now been removed after IT staff worked over the weekend.
Julie Hetherington-Smith, the council’s chief information officer, said, “We’ve done a lot of checking and we, and the police, are confident that the data is safe. Nothing has been lost”.
She added that the council would be reviewing its security systems in light of the attack, and ensuring its antivirus software was the latest available.
The fact that the council suffered 103 data breaches between April 2011 and 2014 makes me question what ‘reviewing its security systems’ actually means, which raises two concerns:
- Why must it take an attack to make the council review its security systems – why isn’t this a regular task?
- Also, having the latest antivirus software isn’t going to protect them; there is no antivirus software available that protects from 100% of current threats. It’s not a solution – it’s part of a solution.
The attack on the council took place after a member of staff “opened” a malicious email. Whether “opened” means simply opening or it means downloading an attachment, I’m not sure.
My advice to the council would be to focus on its employees and ensure that they have the required knowledge to prevent these or similar attacks happening again. Also, rather than waiting for a security incident to happen before reviewing its security systems, I suggest that the council implements an information security management system aligned to the international best practice standard, ISO 27001:2013.
You can find out more about ISO 27001 by downloading our free guide, ‘The 10 Critical Ingredients to Reduce Cyber Risk with ISO 27001’.
Share now…
I guess the lorrie is out of the car park, now isn’t it? Seriously now, this was very predictable. Maybe the council had decided not to invest in appropriate protection because they performed a risk assessment and determined there was no business impact on the organization other than a bit of inconvenience for a period, or “no big deal”.
With cyber attacks a daily occurrence you have to question why the government has not introduced laws for all public bodies that hold public data to meet minimum standards like ISO 270001:2013. This should include regular auditing with penetration tests by independent 3rd parties.
Both valid points above but central Government should put the system in place to assist local Government achieve ISO 27001 minimum standard. Each local area having to look for and achieve this on their own would be not cost effective against a centrally coordinated effort.
Since we never know when a problem will occur, it is advisable to put in place a good business continuity system so that the business can bounce back after a complete shutdown or any similar problem. An expert need to help do that, say by putting in place IT Contingency Plan, awareness program, and others.
You can train the employees but every once in a while someone is going to mess up and open/download something they aren’t supposed to. No one is perfect. Also with companies going through “weekly security meetings” they are bound to just start skipping over things and push it off until the next meeting, but then it becomes a repeating issue and then BAM an attack has happened because it was skipped for 2 months.
Yes you have valid points, but it isnt always reasonable for a company. Human errors occur all the time, unfortunately.