Cyber threats are menacing the NHS, which needs to invest heavily to keep our health system and patient records safe from cyber-criminals. Phishing is the cyber crime that many employees have the most trouble identifying. And because your staff represent one of your greatest cyber vulnerabilities, HR departments are being highlighted as a great place to start really getting to grips with better corporate cyber security. Here's the news.
The NHS faces an increased threat from cyber attack
Apparently a combination of out-of-date legacy computer systems, a chronic lack of investment, and a marked lack of skills and awareness means NHS hospitals all over the nation are at a high level of risk. As widely reported recently, the NHS has been warned that without new investment, our health system and patient records face an increased threat of cyber attack. So say researchers from Imperial College London’s Institute of Global Health Innovation, which has presented a damning report to the House of Lords.
2017 saw the NHS hit by the WannaCry cyber attack, which affected 81 of our 236 NHS Trusts. 603 more primary care and other NHS organisations were hit, too. While the attack was fairly simple and unsophisticated, it could easily have been prevented if the NHS had only patched their Windows operating systems and managed their firewalls better. And that's truly shocking because both things are the very opposite of rocket science. They're about as easy, obvious and essential as it gets.
The National Audit Office investigated WannaCry and revealed a shocking lack of insight and 'controls' by the Department of Health. At the same time many NHS Trusts were found to be either 'unwilling or unable' to respond to central cyber security guidance and support.
It matters because a cyber attack or data breach of a hospital computer system can mean medical staff cannot access essential details about patients, so can't offer the right care. It can also stop life-saving medical equipment from working properly, which is obviously very risky indeed.
The team behind the report says while there are some decent existing measures in place across the health system, “more investment is urgently needed”, especially with so much 'smart' networked tech being introduced into hospitals, much of which doesn't have cyber security built in.
The recommendations include employing proper cyber security professionals in NHS IT departments, creating special fire-breaks in systems to isolate segments of critical data, and putting in place clear communication systems so people know where to get help and advice... none of which is particularly tricky.
Low hanging fruit - Tackle phishing for a fast corporate cyber security win
Do you need loads of complex equipment and software to combat cyber risk in your company? As it turns out, employee education is the most powerful initiative of all. SC Magazine says a new analysis of employees' cyber knowledge has found yawning gaps in the basic insight needed to stay safe from cyber attacks. Apparently last year users struggled the most to identify phishing threats, and also had issues with protecting data throughout its lifecycle. Employees also had issues with understanding how to protect mobile devices, problems getting to grips with mobile device encryption and protection for personal data. They also struggled to understand the risks behind social engineering.
The report comes from Proofpoint and includes data taken from a whopping 130 million answers to questions posed by assessments into corporate cybersecurity and security awareness, collected between January 2018 and February 2019.
As far as sectors go, education and transport suffered the worst scores and financial services industries the best. And the end users who work in commercial departments fared the worst of all, things like business operations, business development, contract management, and customer management. Oddly enough security departments themselves also struggled, giving the next highest percentage of wrong answers across every category.
It looks a lot like giving employees the knowledge they need to recognise and deal with phishing and other cyber attacks could be a relatively simple way to protect a business. In the words of Amy Baker, VP of security awareness training strategy and development at Proofpoint, “Educating employees about cybersecurity best practices is the best way to empower users to understand how to protect theirs and their employers’ data, making end users a strong last line of defence against cyber attackers."
How your HR department can play a vital role in cyber secure systems
People are at the heart of this story, too. Personnel Today highlights how HR can minimise cyber threats, simply because employees represent such a high online security risk.
Their claim is set against a background where security breaches are becoming more targeted and more expensive to fix. The government’s own 2019 survey into cyber breaches reveals 32% of those quizzed had suffered an attack or breach in the last 12 months, at an average cost of £4,180.
The trouble is that while businesses improve their cyber defences with ever-more sophisticated tech, attackers are changing tack to target softer targets, in other words individuals. Human error is an enormous problem in digital security, and things like phishing attacks affected 80% of respondents. At the same time 28% fell foul of someone impersonating an organisation, a threat that now outnumbers viruses, spyware and malware attacks.
No wonder cyber security is a company-wide challenge these days, and no wonder HR's role is set to become even more vital. HR professionals can play a key role in minimising attacks through a combination of continual training, staff awareness, updated skills and strong policies. In short, HR departments must ensure employees’ skills are relevant to the new threats we face every day. If you run an HR department or are an HR pro, here are some essential actions to take:
Work closely with your IT people
Make sure you understand the basics of the threats yourself
Put the right policies, processes and procedures in place
Make sure everyone takes the government's Cyber Essentials qualification – we can help with that
Need a security audit, or help getting Cyber Essentials qualified? Talk to us and find out how we'll help you get properly cyber-secure. You'll find us a pleasure to work with.