According to Ray Bryant, CTO of Idappcom, with something approaching 3% of the UK’s adult population now employed by the National Health Service, logic suggests that a sizeable number of these employees will – for one reason or another – be unlikely to fully take on board the reasons why IT security needs to be addressed in everything they do.
“Most NHS staff – who do an excellent job by the way – understand they should not discuss patients outside of work, and also not compromise patients’ personal information in any shape or form, but it’s a long way between securing a buff folder in a hospital environment to understanding why data held on a USB stick needs to be secure,” explained Bryant.
“This is what IT security professionals call stakeholder buy-in – a fundamental understanding of why security rules are in place, and that staff need to do everything possible to maintain the integrity of those rules,” he added.
Bryant went on to state that, in an ideal world, every member of staff in the NHS – and any other organisation for that matter – would understand why security is needed, and defend their organisation’s data integrity at all times.
However, in the real world people go out of an evening, sometimes stay out late and, after feeling tired the next day, make a mistake with a USB stick, smartphone or laptop. This is the point at which good IT security defences really come into their own.
These defences, suggested Bryant, step in and do the electronic equivalent of asking the person: ‘Do you really want/need to do this?’ or even simply block the member of staff from performing what appears to be a silly or mis-informed action.
In order to complete these actions effectively, Bryant believes that IT security regimes need to be pervasive. As such, its efficiency and overall ability to protect data at all times needs to be reviewed and verified on an ongoing basis.
IT security: now a multi-faceted problem
IT security has become a multi-faceted problem. The people who want access to systems, data or money have learned to probe any weakness, whether that be social engineering or just gathering information that allows entry, careless conversations, insecure mobile storage or access to central systems.
Let’s not forget, either, the more common access through hacking techniques.
Reports of USBs being dropped in car parks, laptops left on trains and e-mails opened with ‘backdoors’ in them make for news headlines. There’s no doubt the human element in all this has been somewhat sensational, but we must never forget that these incidents are small in number compared to the millions of attempted hacks via intrusion from outside to inside networks.
“Budgets are hard pressed,” said Bryant. “Never let your efforts be distracted by what is in the news when a few pounds spent on enhancing your defences can dramatically improve your mitigation capability at the network perimeter (IPS/IDS/Firewall).”
There is a major difference between creating a security culture and making real technical improvement to defences. Both are essential, but the process of developing policies, culture and then training thousands of staff is an expensive and long process.
Improving Intrusion detection at the point of connection to the outside world is available now, can be virtually immediate and has very little cost involved.
“This is why IT security professionals like to undertake regular security audits and efficiency tests,” outlined Bryant. “It’s not for their own good, or because they like doing them. It’s because they are a must-have in today’s IT-pervasive workplace.”
Regular checks and audits
Bryant contined: “With the NHS employing around 1.3 million members of staff in one shape or another, the IT security systems that defend private and personal data at all times need checking and auditing on a regular basis. This is why we think that the ICO needs to mandate the various NHS bodies to go much further on their IT security audits than they do at present.”
In Bryant’s view, if this doesn’t take place then “the NHS security faux pas” will continue.
“Not because the IT security defences are inadequate,” said Bryant, “but because of the sheer volume of data that’s handled on a day-to-day basis.”
For details of the ICO’s recent comments on (and engagement with) NHS data security issues access the dedicated link below
The physical access control market is moving fast. Find out where you stand with the latest edition of IFSEC Insider's comprehensive 2022 State of Physical Access Control trend report, covering all the latest developments within the market. We assess the current technology in use, upgrade plans and challenges, and major trends on the horizon after receiving the views of over 1000 security, facilities and IT professionals.
Get your copy for free today.
