NHS boss says Scottish health board wouldn't give cyberattackers what they wanted

The summary text is described as easy to read. Many of the recipients will have ageing eyes. Thin sans-serif text is not easy to read*, especially when on a grey background. It could have been made a great deal easier if they hadn't (presumably) frittered away money on a graphic designer and just used a higher contrast print.

* It isn't that easy to read here, either, even on a white background, especially when the composition text is a smaller font.

I'm not sure if it's a novel idea but what if all executives who run organisations dealing with personal information had to store a stack of very private material about them on every 'secure' server? That way, they'd have a personal incentive for cybersecurity.

The information would be appreciate to the broader type of information being stored. For example, a health executive would have to provide photos and details of any especially embarrassing parts of their body, to be afforded all the same security, but no more, as that which they provide to their customers.

The same concept could be applied to anyone proposing key escrow or other broken security for E2EE. Secure their nude photos with the same key used to decrypt everyone else's data and put the encrypted file online.

Errrm.. Where's the free subscription to Experian or one of the other identfity theft services?

This appears to be "we're the NHS, we're less liable than a corporate".

I wonder if the boss would have considered giving into their demands if it was his data at risk?

Pathetic.

The fix is simple

Personal information is important because key organizations -- banks and the government notably -- tend to act on it without verification and once a decision is made they dig their heels in and won't fix things (much less admit they've made a mistake). All too often you find a random person suddenly waking up from their humdrum daily routine and desperately needing to wire their life savings to some remote part of the world Right Now and the bank doesn't flag this as a bit odd but just processes the transaction as perfectly normal.

A bit of algorithmic common sense would make life less fraught. Currently a lot of important transactions -- banking, property title transfer and so on -- are designed to be friction free. Its convenient for the people doing the transaction but its also a bonanza for scammers. There are very, very, few transactions that need to be done "right now" so inserting delay and double checking will not seriously inconvenience people but it will make scammers life a whole lot harder. (Personally, I like snail mail and F2F; its Old School but its really difficult to scam and you can't beat a genuine paper trail for when something goes wrong.)

My 84 year old father lives in that area, and I cannot wait to try explaining this one to him and why he shouldn't worry

Well done NHS

for not giving in to the bad guys. Show them it doesn't work. Paying them off wouldn't have guaranteed safety anyway.

Not so well done to the Blair government for doing a deal with MICROSOFT for nhs compute infrastructure. I tried to warn them they should have got some top Linux consultants to do it instead, that way it would be much harder for the crims to pull off this kind of thing!

That took guts

This is the only way we're going to stop ransomware

The UK public sector response to incidents is getting reletively mature. Generally incidents are not swept under the carpet and updates are open and communicative.

However, they keep happening and the underlying causes (underspend on security) isn't really changing, so honesty is one thing (and is cheap where you're not providing screening services to affected individuals) but lessons learned and root cause are being swept under the carpet or ignored.

The ICO will not levy large fines on public bodies (because this impacts the public not the organisation) but they should be sticking the boot in hard where mismanagment and cost cutting are the root cause of serious incidents