NHS Reduces Cyber-Skills Shortages but Breach Problems Remain
The NHS appears to have narrowed the cybersecurity skills gap slightly over the past two years, although breaches remain a serious challenge, according to the latest data from Redscan.
The managed security service provider published an analysis of Freedom of Information (FOI) requests sent to the health service last year and compared it to information gathered in 2018.
On average, trusts now have nearly twice as many employees with professional IT security qualifications: the figure was 1.9 per trust in 2018 and rose to 2.8 in 2020.
The number of trusts with no qualified security staff has also fallen, from 23% in 2018 to 15% last year.
However, there are still major disparities in resourcing from trust to trust, and skill levels may also be lacking, according to Redscan CTO, Mark Nicholls.
“Trusts now employ more qualified security professionals than ever but due to the global security skills shortage, many still lack the wide range of expertise they need to protect critical infrastructure against the latest threats,” he told Infosecurity.
“It’s easy to assume that trusts of a similar size would have similar security strategies and budgets. However, it’s clear that they operate in very different ways when it comes to security. Some trusts employ many qualified professionals. Others have none and, in some cases, may choose to outsource all of their security functions.”
Alongside the positive news on skills, the headline stats on breaches seem to show improvement over the past two years.
On average, NHS trusts reported two breaches to the Information Commissioner’s Office (ICO) in 2020, down from 2.5 in 2019. However, over two-thirds reported the same number or more incidents in 2020 than in 2019, with only 30% of trusts reporting fewer breaches.
These incidents included third party cyber-attacks and insider negligence and mistakes.
“It would be too simplistic for us to suggest that more cyber-professionals equals fewer breaches. It’s imperative to have the right people in place, but a strong security posture relies on people, processes and technology,” argued Nicholls.
“Arguably, where qualified security pros make the biggest difference is in terms of their heightened understanding of the threat landscape and how to get the best from the latest technologies. Regular professional training helps IT and security teams to keep their security skills and knowledge honed, which is essential considering the types of threats that organizations within the NHS face every day.”