Jonathan Lee, UK director of Public Sector Relations at Sophos, writes how better communication between IT ranks and a single view of threat data could help avoid risk-awareness gaps in public healthcare
There is a disconnect between public sector IT leaders and their frontline IT teams when it comes to how many cybersecurity incidents and breaches affected their organisation over the last year. The leaders believe there were many more than before, the frontline pros say there were just a few more. The gap between these two opinions matters because different perspectives on risk can directly affect security behaviour.
As the public sector – including healthcare – embraces new technology and digital transformation, introducing online and connected systems, mobile applications, data sharing networks, and more, IT security has become more important than ever. However, despite the fact that they handle highly sensitive, confidential and personal information, more than half (55%) of public sector IT leaders believe the data they are responsible for has less value than private sector information, according to the latest independent research from Sophos.
Just under a third (31%) of all IT respondents in the NHS share this view. This could mean that information security is not prioritized to the extent it should be, even though 61% of the NHS IT staff surveyed believe the IT security threat level facing their organisation is growing.
This is compounded by a disparity between IT leaders and frontline IT staff when it comes to the cyberthreats affecting their organisation over the past 12 months. According to the research, which surveyed 780 UK public sector IT professionals, the majority of senior IT leaders (76%) said their organisation had been affected by a ransomware incident over the past year – while only 16% of IT practitioners were aware of such an incident.
When it comes cyberthreats in general, just under half of public sector IT leaders believe the year had seen a a large increase in both IT security incidents (45%) and actual breaches (38%) – compared to a far lower 4 and 8% respectively among IT practitioners.
So where does this leave public sector – and NHS – IT security? On the one hand, these results could mean that IT staff on the frontline are underestimating the level of security threat, and therefore not preparing or responding accordingly. This could leave systems, networks and data vulnerable to spear-phishing, identity theft, network breaches, or extortion attacks from hackers or nefarious individuals and organisations.
On the other hand, it could mean that more senior staff are the ones with an inaccurate picture of the actual situation and this could potentially lead to a security focus on the wrong areas.
Regardless of the reasons for the disconnect between senior IT staff and frontline IT teams, what really matters is that everyone has the same, correct view of security incidents and impact – and acts accordingly. Better communications, more effective knowledge sharing and clearly defined processes are all essential to addressing this – as is an advanced, multi-layer security solution that delivers clear and unambiguous data on the threats detected and blocked.
Simplicity in cybersecurity is particularly important in the NHS because the research also showed that, in percentage terms, healthcare IT professionals carry a heavier security burden compared to other parts of the public sector – based on the number of individual computer users a single security professional has to support. Further, the NHS appears to have the highest cybersecurity skills shortage. The challenge of recruiting and retaining IT security professionals was cited by 34% of NHS IT staff as the single biggest obstacle to delivering IT security – with only central government rating it more highly (36%).
Looking to the future, the research found that IT professionals at all levels across the NHS worry about the security implications of an increase in remote and flexible working (a top concern for 38% of respondents), the security skills of all employees (37%), and the risk of targeted ransomware attacks (35%). These are all important areas, worthy of attention.
Meeting the cybersecurity needs of a digital NHS is about having the right security strategy and protection technologies in place, implemented and managed by skilled, integrated professional teams that have a clear picture of what is happening. The NHS does an incredible job keeping the nation safe and well, it is vital that this work is adequately protected.