The recent ransomware episode caused chaos for the NHS. One IT firm tells Andrew Collier what can be done to enhance data protection

It wasn’t quite like a scene from the movie The Day the Earth Stood Still, but to those caught up in its ravages, it must have felt like it. Right across England and Scotland, NHS systems suddenly crashed. Medical staff couldn’t access prescriptions, patient records, X-rays and other vital information.

Accident and emergency departments were closed, operations cancelled, patients sent home. The effect of the ransomware attack on healthcare IT systems earlier this month could have been cataclysmic. Through a mixture of a swift technical response and pure luck, it wasn’t, though the disruption was huge and the cost to the NHS, when worked out, is likely to run into millions of pounds.

This attack was a stark global reminder – it hit some 200 countries – of just how reliant we all now are on technology and IT systems. They are indispensable to modern society. But they can also be unpredictable, mercurial and vulnerable to attack. When they fail, the consequences can be massive.

How much can a loss of data affect a business, charity or public sector agency? That’s a huge question, depending on the nature of the organisation. To a sole trader who just uses their computer for occasional web browsing or issuing invoices, it’s probably just an inconvenience.

However, for a bank, airline, large corporate or government department, inability to access critical data can be disastrous. It can cost millions of pounds in lost revenue and disruption to operations. And that’s before you even begin to consider the reputational damage involved.

iomart is one of Scotland’s longest established and most experienced providers of data storage and cloud computing. Formed nearly 20 years ago, it has grown into one of the leading companies of its type in the UK.

The company has its headquarters at Glasgow’s West of Scotland Science Park and offers a wide range of services from a network of data centres across the UK. These include managed hosting, cloud services, managed security services and data storage, backup and disaster recovery. In essence, it provides an end-to-end service to protect the data of customers in the private and public sectors.

Paul Jeffrey, who is iomart’s Technical Services Director, points out that the recent ransomware attack has helped to focus minds on the critical importance of data protection. "I do have a certain sympathy with what happened to the NHS," he says.

"IT services within the NHS face budget challenges, yet they are under pressure to make improvements everywhere. Add to that the IT skills gap and the fact that many NHS trusts run old and often end of life legacy IT systems, the demands placed upon them are immense."

The problems for smaller organisations, he adds, can be even more dramatic. "They may well not be IT literate and have no IT staff of their own. They probably use a ‘man-in-a-van’ to address any technology issues they encounter. They just don’t have the skill set."

Across all organisations, Paul says, one of the biggest enemies can be complacency. "There can be a feeling out there that data loss or security issues can never happen to me. But the truth is that there is an inevitability that sooner or later, something will happen. People shouldn’t just ignore this, but they do."

While bigger organisations, enterprises, may at least have the knowledge and staff to better understand and solve IT problems, they can have their own particular issues. "As the size of the technology environment increases, so does its complexity. Putting things right can be a massively difficult task. It can be like turning a giant oil tanker at sea.

"By contrast, it may be that SMEs may only need an anti-virus solution, malware protection and a decent back-up facility."

The last of these is particularly important: when all else fails, it is critical to have some sort of backup and disaster recovery strategy in place. "Your attitude to risk defines the way you do everything, though of course budget does also come into it. It’s about having defence in depth - looking at every layer in your IT environment and protecting against potential problems."

Paul makes an analogy with having a car. "You have insurance. You get it serviced and ensure that it is maintained. It’s the same kind of mentality that you need with your IT systems.

"There also has to be a recognition that IT is no longer a technical issue, but that it is at the very core of the business. It’s something that has to be in the hearts and minds of senior executives within a business. If that’s the case, then its importance will trickle down to the rest of the company."

One issue, though, can be that an organisation’s most senior executives may well look at IT investment in terms of the bottom line rather than its real importance in maintaining and protecting the overall business.

"It can be a hard sell for the IT people, as boards might see it as a runaway spend and be less open to authorising it."

Moving data to the cloud can offer an alternative to in-house servers, and a good cloud provider is thinking 24/7 about how to protect data from security threats, Paul adds, but that isn’t always an easy solution either. "You have to make sure that you’re not simply moving from one set of technical skills and complexity to another.

"They are vastly different environments and the transition can be expensive.

"The important thing to stress is that you need to think from the top down, to make sure that your attitude to risk is reflected in your business strategy and that you seek professional advice."