It seems barely a week goes by without news of another major cyber attack that compromises customer data or leaves business' systems exposed. But despite the continued warnings and the increasing threat of severe financial penalties for organisations that fail to adequately protect their data, the number of incidents shows no signs of slowing down.
While awareness of such risks is said to be strong overall, it seems many organisations are still not implementing basic solutions and defences that can help protect businesses. Whether it is failing to patch software to the latest versions or continuing to use poor password practices that are easy for hackers to take advantage of, there are still many issues that continue to plague businesses large and small.
Even when problems do occur, many companies may not take the necessary steps to ensure that they close any vulnerabilities.
Failing to learn lessons?
One of the most high-profile security incidents of recent times is undoubtedly 2017's WannaCry ransomware attack. This affected organisations around the world, but businesses in the UK were particularly impacted – with much coverage focusing on the difficulties faced by the NHS. Around a third of trusts were caught up in the incident, which led to some 19,000 missed appointments and cost the NHS around £92 million to fix.
You may imagine, therefore, that trusts would have prioritised taking actions to improve their cyber security and ensure such incidents are not allowed to happen again. Yet new figures revealed as the result of Freedom of Information (FoI) requests by security company Redscan suggests this is not the case.
In fact, the data discovered an "alarming" lack of cyber security skills within the organisation, with an average of just one qualified member of staff for every 2,628 employees in the NHS as a whole. Indeed, some large trusts with up to 16,000 employees do not have any formal security qualifications within their staff.
A lack of funds may be one issue that has contributed to this. Redscan's FoI requests found expenditure on cyber defences varies widely among trusts, with some spending upwards of £33,000 on their defences, while for others the figure is less than £500.
What's holding organisations back?
As well as budgetary constraints, there may be many reasons why companies do not invest adequately in cyber security defences. A lack of understanding about the severity of the problem may be one common issue, whereas other firms often believe they are at low risk as they (erroneously) believe their data or systems are not valuable to hackers.
However, this should not be the case with organisations such as the NHS. The Telegraph reports that security experts have warned that healthcare providers are particularly valuable targets for cyber criminals because of the wide range of personal data they hold. It is estimated that medical records can be worth more than ten times as much as credit card details on the dark web.
Another issue may be difficulty in attracting the right people. It has long been known that there is a serious shortage of skilled cyber security specialists around the world, with demand far outstripping supply. Therefore, many of the top talents can effectively name their price when looking for work, and this may mean all but the largest and best-resourced companies struggle to compete.
This was suggested by Mark Nicholls, director of cyber security at Redscan, as an issue that is particularly challenging for public bodies such as the NHS. However, there are alternatives to this, such as increasing in-house training and upskilling, but this is also an area in which many organisations may be falling short.
Mr Nicholls noted that in the last 12 months, NHS trusts have spent an average of £5,356 on cybersecurity and GDPR-related training. However, some spent as little as £250, while others invested nearly £80,000, with there appearing to be no link between the trust’s size and its expenditure on cybersecurity training.
What's more, only 12 per cent of NHS trusts have met their target of having 95 per cent of staff pass NHS Digital’s Information Governance training, even though this is free of charge.
This may therefore highlight that even in organisations where awareness of cyber security risks is high, actually taking the steps necessary to mitigate them is easier said than done. However, with the penalties for any data breaches now so severe, both in terms of financial costs and reputational damage, there can be no excuses for not focusing closely on this area.