The Health and Safety Authority and Data Protection Commission should advise small businesses on what to do in light of a devastating cyber attack, a Fine Gael Senator has said. Senator Mary Seery Kearney said a lot of businesses moved to paperless operations when GDPR was introduced as this guaranteed a higher level of security and confidentiality, and was the best practice way of ensuring privacy by design, as obligated by GDPR.
“In light of the State’s experience with this cyberattack, there is the possibility of a confidence blow to small businesses who having made good choices in going paperless, must fear the consequences for their business of a similar incident occurring. “All businesses must have an emergency plan on what to do were such an event to occur that details how they would operate their business if they could not switch on their IT systems. “Not every small business has the capacity or in-house competence to manage IT security risks.
“I believe that the Heath and Safety Authority and Data Protection Commission should publish advisory documents on recommended standards of security for small businesses, a sample template of an emergency plan in the event of devastating cyber attack and a check list of security questions to ask any supplier along with best practice standards,” the Fine Gael Senator said. “This has been a devastating time for those who are experiencing the consequences of the cyberattack on the HSE. It is impacting on hospital services across the country and also impacting on external services aligned to the HSE.
“I want to congratulate those working on this from the National Cyber Security Centre, on their diligence in preventing the detonation of a second attack on the Department of Health and for the overall infrastructure that has prevented this from having a much larger impact. The configuration of the State’s systems in being siloed is working. “I note that the National Cyber Security Centre (NCSC) has said personal data may be published on the dark web, and that this is likely to be administrative data, but that there is no guarantee as to what personal data may have been stolen and may be published.
“Given the prevalence of scams and confidence tricks particularly targeting the elderly, I believe it is now incumbent upon the NCSC to publish the categories of data that have been stolen as soon as possible, to also advise the public on what mitigating actions they can put in place to protect themselves from such scams and also to publicise broadly what if any pathways to verification and rectification the State is likely to put in place. “We see from the consequences of the Rotunda’s administration moving to paperless transactions, that while this is the lauded standard and they are to be applauded for leading the way, there is a downside to not having paper files,” Senator Kearney added.