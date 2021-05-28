Two weeks on from the HSE’s cyber attack the organisation is still in the thick of it battling to restore IT services and get health services back up and running.

Much has been written on the preparedness of our health service and wider Government agencies for such attacks. The temptation is to criticise Government for not having a sufficiently robust system in place. This may prove justified but, before we start finger pointing, we need a balanced view of the issue and its broader context.

What has happened to the HSE is far from unique. In May 2017, the WannaCry ransomware attack spread rapidly across the world. NHS hospitals were among the biggest organisations affected. Many of the same issues our HSE now faces occurred across NHS Trusts too, with computers, MRI scanners and theatre equipment exposed.

Like we saw in Ireland, NHS hospitals were forced to turn away non-critical emergencies. New Zealand’s health services last week also struggled with a cyber attack. There, an attack brought the Waikato District Health Board’s (serving 500,000 people) entire IT network down, affecting testing laboratories, cancer treatments, email and phone services.

It’s not just public bodies that are exposed. In April, personal information, linked to scraped Facebook data from 533 million users, was published online.

The circumstances, though different to the HSE’s, had one similarity – the risk of personal data appearing online. It’s no coincidence that as hacks have increased over recent months, and personal data is more accessible as a result, the number of phishing scams have become ubiquitous.

Working from home has also increased users’ vulnerability. In the scramble to keep businesses operational, the standards of security applied in the office may not always have transferred to the home.

Whether home, office or elsewhere, cyber attacks are growing and most of us have been targeted in some way by cybercriminals.

This last point brings us to the nub of the problem, cybersecurity is not the sole responsibility of one agency, one department, one business or one individual, it’s a universal issue. Few, upon hearing of the HSE attack, didn’t think for a moment that on another day it could be them or their business.

One positive is that the seriousness of cybersecurity has been elevated in the public mind. There is now a greater understanding of the implications of such attacks; how it can threaten something as fundamental as our health services.

Awareness is the first step but educating and arming ourselves as the best method of defence are the next.

Jeremy Fleming, director of UK intelligence and security agency GCHQ, recently said: “Cybersecurity is an increasingly strategic issue that needs a whole-of-nation approach if we are to continue to reap the benefits of technology.”

Ireland now needs this whole-of-nation approach. We need a national focus at all levels and sectors to enhance our defences and be prepared to invest in and resource it.

The accusation of under-investment in our national approach to cyber threats has been the most vocal criticism. Comparisons are always risky but looking at the UK illustrates a stark contrast.

Its National Cybersecurity Centre has a five-year budget of €2.2bn and employs 1,000 people. Excluding pay for 25 staff, investment in Ireland’s National Cyber Security Centre (NCSC) from 2017 to 2021 is €12.45m. Crucially too, it has no director in situ currently, the suggested salary, €89,000, unlikely to attract a candidate of sufficient calibre.

Ireland and the UK are very different- sized countries but consider the fact that the presence of global tech giants here means we store 30pc of all European data and the differences narrow.

We also need a whole-of-life education mindset. With cyber attacks, in most cases it’s an end user or individual who lets the hacker in and sets off the chain of events. This makes basic cyber hygiene an important life skill, with digital and cyber literacy a non-negotiable business requirement. To embed this culture, we need national leadership with the NCSC’s role pivotal.

Initiatives needed include information campaigns on cyber risks or publicly available, free-to-use cybersafe tools for businesses which encourage a minimum baseline security for smaller SMEs, unable to afford cybersecurity services.

The UK’s Early Warning tool, a service offered to all businesses that is designed to give customised timely notifications about security issues to businesses who sign up, is a further example.

Businesses too can play their part by opting to work with companies that can show adherence to cybersecurity standards. Cybersecurity resilience is critical. This includes a pipeline of qualified cybersecurity experts, created via standardised training programmes at our higher and further education institutions.

A UK study found cybersecurity skills in the labour market there were poor: 54pc of businesses lacked the skills to carry out basic cybersecurity tasks like creating back-ups or arranging automatic software updates. Only 11pc employed someone with cybersecurity responsibilities as part of their role.

It’s unlikely Ireland would fare much better. Again, the NCSC can play a key role in ensuring the requisite skills exist.

Cybercriminals are sophisticated, unmerciful and attuned to any vulnerabilities, unfortunately our health service fell foul of their dispassionate mentality.

What matters most now is how our health service responds to protect its IT services from repeat attacks and that the lessons are carried forward to create greater resilience in the future.

John Keaney is chair of the Ibec industry representative group, Telecommunications Industry Ireland, and CEO of SIRO, a joint venture between ESB and Vodafone