NHS IT Services Supplier Victim of Ransomware Attack
It has been confirmed that a ransomware attack is causing a major outage for NHS IT systems. Services affected include software used by NHS 111 and other patient notes...
Read Full ArticleAfter breaking the news of the ISS World malware crisis, ThisWeekinFM speaks to the industry experts, to identify how FM companies can better manage cybercrime attacks.
TWinFM spoke to Mike Gillespie, Founder of Advent IM, an independent cyber security specialist, to look at the ISS “malware infection” in greater detail.
Gillespie told us of the likelihood that the malware entered ISS systems due to human error.
“An organisation can have all the perimeter protection it can afford, but most malware is brought in through human error, often by clicking on a phishing link. Phishing remains the most effective and not surprisingly, widely used delivery system of malware globally. Phishing is used in targeted attacks as well as non-targeted incidents, which is what the incident with ISS looks like so far.”
“An organisation can have all the perimeter protection it can afford, but most malware is brought in through human error, often by clicking on a phishing link. Phishing is used in targeted attacks as well as non-targeted incidents, which is what the incident with ISS looks like so far.”
–Mike Gillespie
Director, Advent IM Ltd
The very wording of “cyber attack” or “malware attack” has connotations of malice and a deliberate target, when this may not always be the case. Gillespie maintains that this is an important distinction to be aware of:
“We do not know if ISS were the target or if they were a conduit to an organisation in their supply chain/ecosystem.
“The language of cyber security can be misleading and the use of language can add a layer of confusion; referring to an attack when actually it was a random infection not an attack, for instance. This imprecise language makes an already challenging landscape, even more confused.”
EMCOR Group and Bouyges are two other FM companies to have recently fallen foul to cybersecurity issues, but Gillespie sees the sector in general as wanting to improve in this area:
“We have engaged with the FM community for a long time and know that the desire to improve cyber resilience is very strong in this sector.” continued Gillespie
“We also know that they, like all their clients will have Operational Technology (networked systems that are not IT) and other systems, such as Fire and Life, Security and Building Management Systems, that not only are not secure, but aren't designed to be secure.”
The BBC speculated that the incident may have been linked to ransomware, which encrypts IT systems, locking users out and demanding money.
In the race to find a solution and rescue data, some firms choose to pay out, as with the Maastricht University case. The university disclosed that it paid the 30 bitcoin ransom (roughly $220,000) requested by the attackers who encrypted some of its critical systems following a cyberattack that took place on 23 December 2019.
Paying ransomware could be viewed as no more than another business decision to weigh up. A report from ZDNet, looked at research that suggests that, even if you don’t end up paying the ransom, it should be considered as a viable option. Citing the research and advisory firm Forrester, it says:
“Forrester’s guidance is not a recommendation of whether or not to pay a ransom but to recognize paying the ransom as a valid recovery path that should be explored in parallel with other recovery efforts to ensure that you’re making the best decision for your organisation.”
Others take the view that this should never be considered a viable option. As Gillespie told TWinFM:
“My advice is to never pay. It is well accepted that payment funds organised crime gangs and in turn terrorism and Trans-National crime groups. Not only that, you are ensuring that the aggressors are well-financed to be able to refine and improve their offensives against everyone, not just those that pay up.
“This should not be considered a cost of doing business”
Whether the incident was a ransomware attack or not is, as yet, unconfirmed by ISS World.
The importance of handling the media when managing incidents of cybercrime is a point worth noting. Media statements, or a lack of, can have an effect on managing potential repercussions.
With reference to internal communication and best managing press statements, Gillespie firmly believes that honesty is the best policy:
“You cannot expect them [communications teams] to come in and work media magic if you have not kept them in the loop of developments, because actually a poorly briefed comms team can make you look ridiculous”
“Remember, if you can’t explain it to them, don’t expect them to be able to translate into anything meaningful for media, clients or public. Clarity is key along with honesty both internally and externally. It doesn’t need to be complex, just clear”
TWinFM also spoke to Chris Phillips, a fellow of the Security Institute and the Chartered Institute of Security and Crisis Management, and managing director of IPPSO:
"There is a growing number of attacks on all types of business and there is no doubt that FM companies will continue to be targeted in the future."
–Chris Phillips
Managing Director, IPPSO
"There is a growing number of attacks on all types of business and there is no doubt that FM companies will continue to be targeted in the future.
"The following are the top tips are given by the National Cyber Security Centre and I would recommend that all businesses familiarise themselves with this advice"
If your organisation has already been infected with malware, these steps may help limit the impact of the infection:
When it comes to prevention, Gillespie asserts that clients using FM service providers should be vigilant with their supply chain assurance and to be wary of “a procurement mentality that prioritises price over value.”
“In a time where it is ‘when’ not ‘if’ a cyber attack will hit, organisations need to limit the risk by maximising control and enabling full visibility across a network, which will assist in defending against the next wave of cyber threats.”
–Myles Bray
VP EMEA, Forescout
Myles Bray, VP EMEA at Forescout, a security platform that helps businesses and government agencies orchestrate actions to reduce cyber and operational risk, added:
“To fully protect themselves and their networks, businesses need to implement security systems that ensure secure network architecture, such as a segmented network.
“Network segmentation has been designed to allow businesses to automate the identification and isolation of threats, without impacting operations. In a time where it is ‘when’ not ‘if’ a cyber attack will hit, organisations need to limit the risk by maximising control and enabling full visibility across a network, which will assist in defending against the next wave of cyber threats.”
Picture: Original error message from ISS World's site
Article written by Ella Tansley | Published 26 February 2020
It has been confirmed that a ransomware attack is causing a major outage for NHS IT systems. Services affected include software used by NHS 111 and other patient notes...
Read Full ArticleThe effects of the ISS IT security incident have been resolved with all related costs fully recognised and with the majority paid in 2020, according to the...
Read Full ArticleAs more and more of a building’s functions are automated and controlled via smart technology systems, has cybersecurity been an afterthought? In 2020, Boris...
Read Full ArticleEMCOR Group and Bouyges are the latest FM companies targeted by malicious software attacks. The website of EMCOR Group, the global providers of facility...
Read Full ArticleISS has signed an extended contract with Unibail-Rodamco-Westfield, which owns the UK’s largest shopping centre portfolio. Since 2019, ISS has provided a...
Read Full ArticleISS has expanded its suite of apprenticeship schemes with a new programme aimed at developing women into leadership roles. The Women in Leadership Apprenticeship...
Read Full ArticleISS has announced the launch of two new workplace food brands: “The Place and “The Whole Grain”. The two new dining concepts are designed to deliver...
Read Full ArticleLearn more about the realities of cyber crime in this Q&A with cyber security expert Francis West. From Whatsapp fraud to investment scams, cyber crime has...
Read Full ArticleISS is preparing to mobilise its £135 million integrated facilities management services contract with the UK Department for Work and Pensions. The contract will...
Read Full ArticleISS will continue to provide soft facilities management services across the East Cheshire NHS Trust’s estate for a further five years. The historic contract...
Read Full Article