Skip to main content

WannaCry and the NAO: Bad news for the NHS, good news for Eskenzi

By November 6, 2017April 1st, 2019No Comments

WannaCry Attack and NAO

If you’re in the security game, WannaCry is like celebrity deaths…You always remember where you were! I for one was in the office, frantically getting all the available information over to my clients so we could have a comment written, approved and pitched in a timely fashion.

Such was the same when the NAO announced at the end of October that the NHS could have prevented the WannaCry attack by taking simple cybersecurity recommendations. While this was admittedly terrible news for the NHS, it was great news for our Eskenzi clients! A nationally recognised government office, going on the record about the cybersecurity failings of another globally known, much-loved national institution was almost too good to be true. This is particularly useful for our clients as the report echoes the sentiments that expressed as the time of the original WannaCry outbreak back in May.

At this point, the Eskenzi ‘rapid response’ process ramped up a gear, with Eskenzi employees all over the globe mobilising to capitalise on the news, and allow our clients commentary to become a part of the news agenda around this story. Both the quality of the comments our clients can provide, and the speed and accuracy with which they are pitched to the media are all crucial factors to consider when dealing with a rapidly changing news agenda. Luckily for us, the combination of our excellent PR professionals and our clients’ sector-leading knowledge meant comments were quickly drafted and pitched from across the infosec spectrum. Some of our excellent client commentary on the subject is included below:

Javvad Malik, security advocate at AlienVault:

For many organisations, it’s not a matter of if, but when. Fundamental security controls and hygiene could have prevented, or at least minimised the impact of WannaCry on the attack. But perhaps even more telling is that while the Department of Health had an incident response plan, it was neither communicated nor tested. Without a clearly communicated and tested incident response plan, trying to make one up in the midst of an incident is a recipe for disaster.

It becomes increasingly important for all organisations of all sizes to invest in cybersecurity. It doesn’t necessarily need to be huge investments, but care should be taken that the fundamental security controls are put in places and validated, as well as testing an incident response plan.

Anton Grashion, managing director-security practice at Cylance:

“While it’s true that organizations could have prevented at least one recent ransomware outbreak through ‘basic IT security,’ such as regular patching, the fact remains that a treasure trove of weapons-grade malware has recently been made available to every variety of threat actor on the Dark Web. It’s easy to say that if recommendations were acted upon the effect would have been less, but there would still have been an effect because the initial malware infection had to be stopped as well – not something the recommendations covered.

“Regular patching is necessary, but not sufficient for preventing highly damaging cyber-attacks on networks. It’s still imperative for security teams to evaluate next-generation anti-malware technologies inside their own organizations to see what works best for their purposes against these increasingly sophisticated new malware types, which are regularly failing to be stopped by traditional security products. Indeed, there is still a large estate of aging operating systems in daily use in both public and private organizations and while it is advisable to migrate to more up to date versions it’s sometimes a decision on what else will be cut to upgrade. Better yet is to protect these platforms in the first place and buy some breathing space in which an orderly upgrade program can be executed when budgets allow.”

Stephanie Weagle, VP at Corero Network Security:

“Organisations operate un-patched legacy systems and no formal mechanism to effectively protect against the evolving landscape of cybersecurity threats is irresponsible.  Over a third of national critical infrastructure organisations in the UK (39%) have not completed basic cybersecurity standards issued by the UK government, according to data revealed under the Freedom of Information Act.  In order for the UK to become the safest place to do business, Critical Infrastructure must engage in cyber resiliency best practices, and proper security defenses.  To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it’s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any cyber threat, including DDoS attacks.”

Edgard Capdevielle, CEO of Nozomi Networks:

“The National Audit Office’s report reminds us that cybersecurity is not optional, it needs to be part of regular operations. Clearly there is a high cost when regular IT system updates aren’t implemented and cybersecurity recommendations aren’t followed.

“Attackers continue to look for new and inventive ways to infiltrate organisations and infrastructure meaning global outages as Wannacry was able to realise could become increasingly frequent if left unchecked.

“The EU’s NIS Directive due to be implemented into UK law next May, those who fail to adequately protect infrastructure will be penalised financially.

“With ransomware – such as WannaCry, especially given its ability to reinfect connected devices, prevention has to be first and foremost. Applying artificial intelligence and machine learning for real-time detection and response, organizations can monitor for known malware infections and detect anomalous behavior that might indicate new malware variants enabling organization to rapidly discover and act to remove malicious code before harm is done.”

Gavin Millard, technical director at Tenable:

“In theory, Wannacry could have been easily prevented by deploying a freely available patch and restricting or removing a ubiquitous service called SMB from Windows systems that couldn’t be updated. In reality though, due to the complex networks in place, overlapping ownership of devices and systems that can’t be updated due to contractual issues with the suppliers, this was far from trivial to accomplish.

“To be resilient to further attacks of this nature, each of the NHS trusts has to ensure foundational security controls are in place and identify where improvements are needed. The UK government has already defined controls every critical infrastructure should follow with schemes such as Cyber Essentials and NIS. But to implement these guidelines effectively, investment is required into a public sector that is already severely lacking funds.

“As we become more reliant on IT systems for every aspect of our critical infrastructure, including healthcare, the impact of a major vulnerability affecting those systems shouldn’t be underestimated or the risks ignored. Putting in place a robust process for identifying all systems on the network and how vulnerable they are, are foundational security controls for a reason. Without this ability, networks will continue to be easily infected by ransomware like Wannacry”

For other coverage successes at Eskenzi, please go to

By Conor Heslin, Account Executive at Eskenzi PR