Ashley Smith-Hammond

In early May, the ‘Wannacry’ ransomware spread like wildfire, infecting computers across 150 countries. This is just the latest attack in a trend that has been growing steadily in recent years.

This new form of malware is exploiting the vulnerabilities of organisations and businesses as opposed to individuals. So what can your organisation do to protect your own data and that of your audience?

How does Wannacry work?

Wannacry is one of the latest examples of “ransomware”. Ransomware encrypts files on affected computers and then demands payment to unlock them. Most headline cases in the recent attack were hit due to vulnerabilities caused by out of date operating systems or missed security updates.


For small arts businesses, a lack of knowledge, inertia and budget constraints may mean huge delays on essential updates and upgrades. In many cases the information held on computer systems is business critical. This means that the value of the data provides a further incentive for attackers. Put simply, if the data is worth more to the victim, they’re more likely to pay up to have the files unlocked.


Ransomware attacks aren’t going away any time soon and for cultural organisations this has implications – as some people have already seen. It can seem daunting, but there are some easy first steps and plenty of resources available.

Here are some starting points:

1. Install the latest security updates!
2. Remind everyone that it is not safe to click links or download files from unknown emails.
3. As soon as you can, upgrade from old operating systems like Windows XP, which are less likely to be supported by the latest security software.

You have a legal obligation to look after your own data as well as that of your audiences. The Data Protection Act requires data controllers to put the appropriate technical and security measures in place to protect personal data from loss or destruction.

There are plenty of resources available to help you get to grips with your legal obligations. We’ve pulled a few together below you might find useful.


ICO Statement on Wannacry
The ICO guide to the Data Protection Act
National Cyber Security Centre guidance
Scottish Business Resilience Centre advice on Wannacry
Scottish Law Society fraud alerts
Culture Republic comments on the end of the Safe Harbour agreement

Main image credit: WannaCry by medithIT (CC by 2.0)