Following the widespread damage caused by a high-profile ransomware attack, you might expect the NHS to have implemented an equally widespread cyber security strategy. Recently released research, however, has revealed a somewhat more patchy approach – one that provides a perfect example of how not to do things.
According to the report, based on a Freedom of Information (FOI) campaign by cyber security firm Redscan, some NHS trusts have spent as little as £238 on cyber security training in the past 12 months. Others, meanwhile, have invested as much as £78,000.
Of course, some trusts are much bigger than others, but according to Redscan, “the size of each trust was not always a determining factor.” Spending among mid-sized trusts, for examples, ranged from £500 to £33,000.
Furthermore, only 12% of trusts have met targets for information governance training – NHS Digital makes it mandatory for 95% of staff to pass such training courses every 12 months.
To make matters worse, the NHS struggles to compete with the private sector when it comes to attracting cyber security professionals, which means it will feel the effects of the digital skills gap particularly sharply. It’s perhaps no surprise then that nearly a quarter of NHS trusts don’t employ any cyber security staff at all – despite a government pledge to spend an extra £150 million on cyber security in the wake of the 2017 WannaCry attacks.
Sadly, the most powerful lessons are likely to be provided by the next major cyber security breach that the NHS suffers. If and when that happens, it will serve as a painful reminder that making big promises about cyber security is only any good if you have a plan – and a plan is only any good if you stick to it. The road to hell is, after all, paved with good intentions.
This case also highlights the difficulties of protecting public sector bodies from cyber crime. The nature and sheer amount of data they process makes them targets, and any breaches they suffer are likely to be widely reported, as are any weaknesses or failings in their cyber security. Indeed, this very report from Redscan is likely to have criminals rubbing their hands in glee as they realise the NHS is still an easy target.
If the NHS is serious about protecting itself against cyber threats, it will have to do a whole lot more, a whole lot sooner, because it’s only a matter of time before it gets hit again.
Check out our cyber security awareness training, designed to make your people more responsive to potential threats.