It has been reported that four National Health Service trusts in England and Wales spent no money on specialist cyber-security training or expertise in the past year, according to new figures compiled by cyber-security company Redscan. The data revealed that on average, trusts employed just one qualified cyber-security professional for every 2,582 employees, and many are failing short of training targets.
Edgard Capdevielle, CEO at Nozomi Networks:
“Research has repeatedly shown that people are often the weakest link when it comes to cyber security. We are also seeing a number of security incidents where cyber criminals are targeting employees within critical infrastructure organisations with phishing emails in order to gain deeper access to systems. So teaching staff how to handle these emails is key to defending against them.
Because Attackers understand that humans offer the easiest route into organisations, cyber security awareness training should be treated as a necessity, not something which is optional.”
Sam Curry, Chief Security Officer at Cybereason:
“This is a wakeup call that we are all digitally connected and can’t ignore it. Much as we might like to pretend we can spend our budgets in a pre-digital age manner, we can’t; and security is a small tax to spend for all the benefits that the digital age with clouds, big data, machine learning and global connectivity bring for improving the health of Britain. Britons deserve health and privacy and security and no less.
Most trustees try to optimise spend to save lives and security (and privacy) isn’t on their priority list. This should be, though, and they should be required to have cyber advisors on staff and to have both emergency contingency plans, an assessment of cyber posture and a target and plan to improve.
While spend isn’t strictly proportional to effectiveness when looking to improve a plan, it does matter. Quality may matter more than quantity, but many have neither quantity nor quality. This is a problem. Even with stretched budgets, there should be guidelines for assessing security maturity and standard percentage-of-IT spend guidelines. Trustees should have to justify not meeting these minimum criteria and quality rather than quantity can be addressed later. First get the spend up, then worry about optimizing. The potential also exists to pool resources and to use third parties for efficiency and critical mass as other private sector industries (such as insurance and banking) have done or to work with other parts of the government.”