The NHS is now more digitally dependent than it has ever been, and therefore, increasing your cyber security maturity is essential. Both the NCSC (Nation Cyber Security Centre) and NHS England’s (formerly NHS Digital) own Cyber Security Operations Centre (CSOC) are reporting an increasing number of attacks targeting NHS organisations.
Understanding that threat exposure can swing from low to high within a 24-hour period, and that it’s possible to achieve cyber security compliance whilst still being poorly secured, is key to understanding cyber security risk management.
It’s important to note that no organisation can ever be fully ‘secure’, and exposure levels move constantly on a fluctuating scale. Cyber security should not be viewed as a journey with a destination. Instead, the aim should be for measured continuous improvements whether administrative, physical or technical, using imbedded repeatable processes and frameworks.
Managing vulnerabilities
Cyber security should be seen as an investment rather than a cost, and one of the biggest internal challenges is showing ‘value’ for cyber security improvements which can mean sustaining progress is difficult. Organisations should understand that if a control or improvement is not implemented then the inherent risk linked to the threat will continue to grow and the likelihood of a cyber incident increases exponentially as time passes. However, implementing the remediation may not actually produce any tangible return other than the removal or reduction of a risk from the risk register.
For example, current firewalls may produce five alerts per day which the analyst can manage and remediate. A new firewall may result in fifty alerts per day, the analyst can no longer manage the alert volume and therefore spends less time looking at each alert, and the number of unresolved alerts increases. This may also result in a request from the information technology team for further resource to deal with the additional alerts.
Whether the organisation is now in a better or worse position in relation to cyber security, is something most organisations struggle to quantify.
From assessment to strategy
Cyber security is not simply about preventing malware and recruiting more cyber analysts, it is about culture, strategy and day-to-day business processes which have cyber security embedded at their core to prevent large scale cyber incidents. Well implemented cyber security should improve efficiency and be almost invisible.
Start with an assessment to understand where you currently are on your cyber security journey, and your overall level of maturity. The outcome of the assessment should provide a good understanding of the following areas.
Key areas:
- Patch Management and Anti-Virus
- Firewalls and Networks
- Identity and Access Management
- Asset and Configuration Management
- Information Classification and Protection
- Monitor, Alert, and Incident Response
- Risk Management and Governance
- Business Continuity
This assessment will provide an executive level vCISO report giving a holistic overview of your organisation against 13 key areas. It will rate each area on a scale from “Unprepared-Initial” to “Anticipatory-Optimised” which will give strategic insight and recommendations to ensure a maximum return on investment and alignment to key central drivers and best practice.
The report will:
- Provide senior stakeholders will the information they require to make informed risk-based decisions.
- Provide guidance on getting the most out of current toolsets.
- Inform you if your cyber security improvements are isolated to cyber, governance and IT teams.
- Provide a clear strategy which informs the entire organisation.
Good cyber security is a fundamental element of patient care which must be considered in the same way as any other business or clinical risk.
To find out more about how to assess your cyber security set up, contact Cloud21. We don’t just understand cyber security, we understand NHS cyber security.