Ian Birdsey: WannaCry attack a wake-up call for business

• READ MORE: NHS systems in Scotland returning to normal following cyber attack

The cyber attack, described by Interpol as unprecedented in scale and which sought ransom payments valued at $300 (£230) and then $600 in the cryptocurrency bitcoin, should alert organisations that they face a crippling impact to their operations if they fail to take basic measures to protect the security of critical systems and data. The malicious ransomware spread to systems that were running on out-of-date software that contained a vulnerability, despite a security update for the software being available since 14 March.

Own an innovative start-up? Find out how to win £5,000 for your business

The WannaCry ransomware attack appears to have operated like a worm attack that was common in the early 2000s by searching for and spreading to systems that contained a particular security vulnerability. The attack does not appear to have been particularly sophisticated, and indeed the UK’s National Cyber Security Centre has indicated that the most basic cybersecurity hygiene by organisations – keeping security patches up-to-date, running antivirus programs and backing up data – would have been sufficient to repel this attack.

The scale of the WannaCry attack shows that many organisations are not treating the cyber threats they face seriously enough. There is an opportunity for the UK, and other countries across the EU, to drive better practices when they come to implement the EU’s Network and Information Security (NIS) Directive. This sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure.

200 Voices: find out more about the people who have shaped Scotland

The directive will apply to operators of “essential services” and “digital service providers” and EU countries have until 9 May 2018 to incorporate the measures in to national law. Under the Directive, each EU country will be responsible for determining its own “effective, proportionate and dissuasive” penalties for infringement of the NIS rules. However, possible penalties could include fines, public naming of those in breach, and/or a requirement to rectify deficiencies identified with cybersecurity measures deployed.

• READ MORE: Fraser Nicol: A timely reminder on ransomware risks

The cyber risk faced is particularly pronounced in areas of infrastructure that are critical to everyday life, such as banking, health, energy and transport – all the sectors within the scope of the NIS Directive.

Cyber risk has risen up the boardroom agenda in recent times, but it is clear that, despite a raft of new legislation, government guidance and industry warnings, many organisations are still vulnerable to attack. Organisations of all types and sizes should check whether their anti-virus programmes are operating effectively, whether they are up-to-date with their security patching for software and ensure they back-up data onto systems that are operationally distinct from the main systems they rely on, to ensure that systems can be switched and operations restored quickly in the event a ransomware attack hitting.

In addition, organisations should put in place, and test, an incident response plan. It would enable them to efficiently manage any breach they experience with the help of third party experts, such as forensic IT investigators, PR agencies and legal advisors, in line with their legal and regulatory obligations.

• Ian Birdsey is a partner and expert in data protection and cyber issues at legal firm Pinsent Masons

Click here to ‘Like’ The Scotsman Business on Facebook