Not knowing where to start in tackling potential cyber security issues, the cost of putting effective solutions in place and lack of specialist expertise are all stopping health organisations taking the right steps to protect themselves. 

Threats to the NHS have come in various forms over recent years. Whether the threat is the devastating impact of Covid-19 or murmurs of privatisation, there is no doubt that this bastion of British identity is something everyone strives to preserve. However, one danger lurks in the shadows daily and, with the literal click of a button, could bring a health trust to its knees. That threat? A cyber attack.  

The resounding message from IT industry leaders, technology suppliers and managed service providers is that when it comes to cyber attacks, organisations need to move very quickly from a thought process of ‘if’ to ‘when’. 

Global research company Gartner’s latest assessment of cyber security trends states that within just three years 75 per cent of organisations will have faced one or more attacks. Therefore, it is imperative that if health boards are not 100 per cent certain they would be able to withstand an attack and guarantee that all critical data is protected from unauthorised access, they take action to address that fast. 

Steve Heneghan, Head of Cyber Security at Net Consulting Ltd, agrees with this but explains why it is not always that easy. 

Recognising the wider risk 

“The issue we find with organisations we’ve worked with is that they often don’t fully appreciate the scale of the risk, or just how wide their attack surface is. More often than not, they believe they’re quite well prepared, because they’re unaware just how many gaping holes exist in parts of the network they either hadn’t considered or didn’t know existed.”  

Steve adds that it is this surface level understanding of a network that can often be the greatest threat to a trust’s security posture, because it leads to a situation where many stones are left unturned. 

Dave Bloom, Solution Architect at security platform experts Armis, says health boards he has worked with are often astonished by just how many internet-connected devices exist on their networks. “A lot of organisations today are simply unaware of how many unmanaged devices they have on their network. If you ask a CISO [chief information security officer] ‘how many internet-connected devices do you have?’, they’ll quote you x number of laptops, x number of servers and this many CCTV cameras, but then you’ll ask ‘how many telephones do you have, how many door badge readers? What about the building management system – air conditioning, thermostats?’ and that’s before you even consider the situation with BYOD [bring your own devices].”  

Dave adds that it is this big unknown that contributes most to the risk, because if you do not know what is on your network, you will not know who is on your network either. 

He concludes by saying that in some cases it is the sheer scale of overcoming this challenge that prevents organisations from taking the necessary action. 

“More often than not, they believe they’re quite well prepared, because they’re unaware just how many gaping holes exist in parts of the network they either hadn’t considered or didn’t know existed” Steve Heneghan, Head of Cyber Security, Net Consulting Ltd 

Limited in-house security 

Dave and Steve are both alluding to the same thing; they agree that, like so many things in life, the greatest challenge is knowing where to start. Cyber security is a huge and complex area, with many varying aspects, and being able to truly get a grip on it requires time, focus, expertise and the right technology – things that IT departments across the land are frequently short of. 

Implementing, maturing or outsourcing security operations centres (SOCs) features prominently in Gartner’s Top security and risk trends, and the reason for this is two-fold. Firstly, it is due to just how sophisticated cyber attacks are becoming, and therefore, certain levels of experience and resources are needed to both prevent and remediate the threat. Secondly, security teams are realising that affective cyber defences now require an integrated approach. A lot of security teams are effectively built around security incident and event management (SIEM) systems. An SIEM system is a good starting point, but this will always be reliant on the quality of the data it is fed, as well as the skill levels of the operators analysing it. Such systems also only provide threat detection, not a threat response.  

These days, for security teams to effectively cover all angles, they need to also incorporate endpoint detection and response (EDR) tools, which help to detect ‘under-the-radar’ threats that evade traditional defences, and in some cases can provide an automated response, stopping the threat. Security teams should also complement all this with security orchestration and automation response (SOAR) tools, which are designed to help remove some of the burden on security analysts by orchestrating and automating response playbooks. These tools effectively act as additional members of the security team, but ones that can monitor more data than any human could and act instantaneously, should the need arise. 

Outsourcing specialist capability 

To introduce the technology required to carry this sort of detection and remediation, as well as the talent to effectively operate it, comes at enormous cost to most organisations. This is why there has been such an increase in outsourced SOC capabilities in recent years. 

“Organisations we work with, both within the NHS and in the private sector, are recognising that they need to invest in the right technology and resources to maintain a strong cyber security posture, but the cost of doing this in-house is becoming harder and harder (and in some cases outrightly impossible) to justify,” says Steve. 

This, coupled with the fact that they often do not even know where to start, is what is putting organisations at daily risk of attack, but it is also where expert support can help them best. 

By outsourcing their cyber security practice to a managed service provider such as Net Consulting, organisations are able to remove much of the day-to-day burden on their already stretched teams. They can benefit from state-of-the-art technology and highly qualified analysts, while at the same time focus their in-house talent where it really matters, whether that is on innovation projects that frequently find themselves on the ‘nice to have’ list, or on niche threat areas that require the in-house team’s full attention. 

Net Consulting has recently written a downloadable e-book highlighting the first steps to take and what to consider when strengthening your cyber security posture. The Net Consulting team can be contacted on (0)29 2097 2020.