The Healthcare industry by its very nature is populated with some amazing people who are devoted to those in need of physical and mental care. Given this noble cause, it was perfectly understandable for them to ask “Why would someone attack us?” when WannaCry hit their sector.

In my opinion, the WannaCry compromise was the crescendo of almost a decade’s worth of neglect. Unpatched servers, legacy applications, forgotten risk registers and discarded business cases for investment all played their part. However, it did answer the million-dollar-question asked of all security teams: “What is the real risk of us being attacked?”

At the time of the attack, security teams across the country were rallying to resolve the issue, with many (I’m sure) searching for evidence that they had once warned their organisation of the dangers of poor cyber-response arrangements and poor patch management.

Dare we ask how many servers compromised by WannaCry only required a reboot to enable the patch – denied only because no agreement could be reached to arrange a maintenance window?

As sad and as controversial it sounds, sometimes it takes an incident of this magnitude and publicity for organisations to remember the basics. Despite the irresistible urge for some to shout “I told you so,” we must understand how we can improve now that we have the attention of executive management who wish to avoid the implications of another WannaCry.

In recent years, I spent less time on policy and more on advising on change – mostly trying to mediate between innovation and security. In adapting my thinking to include transformation and change, I have identified five key areas I believe all security (and IT) professionals should be considering:

1. The ‘Gig Economy’

Organisations want to try new things and do not want to be (Read more...)