25% of NHS trusts have zero staff who are versed in security
A quarter of NHS trusts in the UK responding to a Freedom of Information request have no staff with security qualifications, despite some employing up to 16,000 people.
On average, trusts employ one qualified security professional for every 2,582 employees, according to Freedom of Information requests submitted by penetration testing firm Redscan.
Trusts were asked about their cyber, information and data security spending and training, with 159 responding to at least one question.
It found that nearly one in four – 24 of the 108 who responded to this question – had no employees with security qualifications.
However, several of the NHS trusts were reported to have said they had staffers in the process of gaining relevant security qualifications.
This might suggest they recognise the importance of training, or that they struggled to recruit people with the qualifications – or perhaps that they were aware of how the numbers would look amid concerns about NHS security.
Most prominent among these is the 2017 WannaCry malware outbreak – which hit one in three English NHS Trusts and cost the National Health Service £92m, but this is far from the only cyber attack NHS systems face. Meanwhile, there are reports about small-scale data breaches that still affect patients, and about clunky tech in need of updating.
Redscan also asked about training for data security and information governance in the past 12 months, finding that trusts spent an average of £5,356 on data security training, with figures ranging from £238 to £78,000.
This broad variation wasn't related to the size of the trust: mid-sized groups with 3,000 to 4,000 employees spent between £500 and £33,000.
Redscan added that "a significant proportion" had spent nothing on specialist training – but a lot of in-house training does not cost the trusts anything, and they can also rely on free tools from NHS Digital.
This includes free information governance training, which NHS Digital recommends that 95 per cent of all staff should have passed every 12 months.
The FoI found that only 12 per cent of trusts had met this target, but most were not far off, having trained between 80 and 95 per cent of their staff. A quarter said fewer than 80 per cent had completed the training.
However, Mark Nicholls, Redscan director of cybersecurity, said that information governance training was just one part in the information and security picture.
"People remain the weakest link in the cyber security chain," he said. "Despite IG training raising awareness of security risks and common pitfalls, you can never fully mitigate the risks of employees making mistakes or falling for social engineering scams."
More broadly, Nicholls said that, despite getting some extra cash from government for cybersecurity in the aftermath of WannaCry, NHS trusts are still under extreme financial pressure.
This will not only make it harder for the NHS to recruit staff as they struggle to compete with "the private sector's bumper wages", but also put pressure elsewhere in the system.
"No doubt resources are being strained further still if you assume that staff with security qualifications are part of IT teams responsible for far more than just cyber security," he said.
Industry: Cyber Security News
- Senior Cyber Risk Consultant, UK - Remote first- Exclusive
- United Kingdom
- Depended on experience.
Cyber Security Risk Consultant to join specialist, people first security consultancy. WARNING if you want a large, slow moving, high politics, high travel security consultancy that demands their a pound of flesh this is NOT for you. Client focused opportunity. Prior consulting experience is essential within Cyber Security. Experience working with businesses to identity and make recommendations to mitigate cyber risk. Some of the nice to have certifications. CRISC, ISO27001 Lead implementer, CISA, CISM, CISSP UK based - remote first mentality. (With some travel) Training budget Unlimited holiday Looking to interview immediately Unable to offer sponsorship.
- identity access Management Consutlant
- Upto £80,000 plus benefits
An Identity & Access Management Consultant is needed for an expanding business based in the United Kingdom. (Remote role with monthly office meet ups) The Identity & Access Management Consultant will be responsible for the technical design and implementation of Identity & Access Management/IAM products for a wide variety of clients. Deliver bespoke end-to-end consultancy service to our clients, from gathering requirements through to implementation. Work in a close team designing, developing, and implementing first-class IAM solutions. Manage client relationships, working closely with key stakeholders to continually evaluate business requirements and ensure the highest quality solution delivery. If you are interested we are looking for an individual with Previous experience working within the IAM or CIAM field is essential, Strong knowledge with SAML and Oauth and ideally OpenID Previous experience from any of these technologies: One Identity, SailPoint, Saviynt, Ubisecure, Ping Identity, would be advantageous
- 17'5 NOT 4 7R4P | Pen testing Lead 100k++
Lead Penetration tester wanted please. - This is however a Master level as appose to padawan. 1. 100k+ for the skilled individual. 2. Research / training time 3. Hybrid role- 3 days at home 2 in the office with the team in London. (11am - 16:00) 4. Exclusive opportunity. So yours to hear about if you are quick. Infrastructure and Web application / red teaming pen testing experience Someone that can scope, deliver and speak to clients.
- It's Pen Testing, The good, the bad and the ugly
- United Kingdom
A new lead Pen Testing opportunity, AND slightly different from the usual you may see. The good, the bad and the ugly… Lalalalala la laa laaaa The GOOD 1. £90-110k for the skilled individual. 2. Research / training time 3. Hybrid role- 3 days at home 2 in the office with the team in London. (11am - 16:00) 4. Exclusive opportunity. So yours to hear about if you are quick. The bad 1. You have to apply or email me so we can speak. 2. 17'5 NOT 4 7R4P or click bait The ugly 1. It’s only ugly if you don’t reply and someone else you know gets it. Infrastructure and Web application / red teaming pen testing experience Someone that can scope, deliver and speak to clients. Apply today for more information.