It was just an ordinary Friday morning in May.

In stuffy hospital waiting rooms around the United Kingdom, patients sat impatiently for their appointments, while the staff buzzing around them looked forward to the weekend.

And then it happened. Thousands of computer terminals throughout the National Health Service went blank for a moment before displaying a simple note, “Your files have been encrypted”.

And with that, many parts of the NHS ground to a sudden, juddering halt. The health service had become one of the first and most visible victims of the WannaCry ransomware worm cyber attack.

Nearly 20,000 medical appointments were cancelled, and millions of pounds worth of disruption caused despite the fact that it was a relatively unsophisticated attack.  

Target: big business

In the end, around 200,000 computers were infected across 150 countries. Security company Kaspersky Lab reported that the most seriously affected countries were Russia, Ukraine, India and Taiwan.

The fees that the hackers demanded for freeing up organisations’ software ranged from the low hundreds of dollars to thousands. How many paid them is not known.

Companies affected included FedEx, Nissan, Renault, Deutsche Bahn and Hitachi.

While the true scale of the financial damage may never be known, estimates have put the costs at between hundreds of millions of dollars $40 billion.

Regulation and global fines

Of course, the WannaCry attack was just the latest in a long line of similar problems.

Equifax, a US-based consumer credit reporting agency, said in September that the details of more than 145 million Americans, 15 million Britons and 100,000 Canadians had been compromised.

As well as the ensuing reputational damage, one law firm has threatened to sue for damages of up to $70 billion.

As well as reputational damage and lawsuits, companies have to consider fines they might have to pay in the event of a data breach.

In Europe, those fines are set to rise with the introduction of the European Union’s General Data Protection Regulation, which will add penalties in the event of major data breaches to €20 million or a quarter of global turnover, whichever is greater.

Source: Shutterstock.com 

Any company processing the data of EU citizens will be affected.

Despite the extraordinary potential cost a fine could present, many companies seem unprepared to confront the risks.

Mark Brumby, a security expert at PA Consulting, a UK-based adviser on technology and business transformation, says: “Too often we see business resilience budgets eroded without detailed understanding of what would happen in case of a complex, but highly devastating cyber-attack or incident.”

States of attack

While cyber crime has economic perspective, it also has a political dimension that is perhaps even more worrying.

Foreign states are suspected of attempted to influence both the UK referendum on leaving the EU and the US presidential elections last year.

There are also risks the internet could be used to attack physical infrastructure. The development of Stuxnet, a program developed by the US and Israeli intelligence services to attack Iran’s nuclear programme, has pointed the way for future attacks.

The digital “crown jewels”

So there is no shortage of potential threats. But how do we deal with them?

Digital safety guidelines should follow similar lines whether for governments or corporations.  

Ensuring “crown jewel” computer programs and data are as isolated from attacks as possible is one key step. They could be utilities, defence, food supplies, electoral systems, health services and key government operations.

Keeping critical infrastructure and software up-to-date, and if possible at tolerances beyond state-of the-art commercial products, is also important.

The UK military establishment caused waves when it was reported to be running Microsoft software on its latest ships, though these claims were later denied. “If you think more NASA and less NHS you are probably in the right place,” a Navy source told Wired.

Source: Shutterstock.com

Digital martial arts

But perhaps agility is the most underrated aspect of defence. The ability to deploy small taskforces to spot and deal with specific threats and work to achieve a nationwide response could be vital in ensuring security while longer-term solutions are found.

That is the case whether the issue is the spreading of false news during elections or identifying in advance events such WannaCry.

But prioritising cyber security and recognising it for the significant and growing threat that it is a central issue too.  

The head of the UK’s spy agency CCQH, Jeremy Fleming, said: “[if]… GCHQ is to continue to help keep the country safe, then protecting the digital homeland – keeping our citizens safe and free online – must become and remain as much part of our mission as our global intelligence reach and our round-the-clock efforts against terrorism.”