It has been reported that four National Health Service trusts in England and Wales spent no money on specialist cyber-security training or expertise in the past year, according to new figures compiled by cyber-security company Redscan. The data revealed that on average, trusts employed just one qualified cyber-security professional for every 2,582 employees, and many are failing short of training targets.
Edgard Capdevielle, CEO at Nozomi Networks:
Because Attackers understand that humans offer the easiest route into organisations, cyber security awareness training should be treated as a necessity, not something which is optional.”
Sam Curry, Chief Security Officer at Cybereason:
Most trustees try to optimise spend to save lives and security (and privacy) isn’t on their priority list. This should be, though, and they should be required to have cyber advisors on staff and to have both emergency contingency plans, an assessment of cyber posture and a target and plan to improve.
While spend isn’t strictly proportional to effectiveness when looking to improve a plan, it does matter. Quality may matter more than quantity, but many have neither quantity nor quality. This is a problem. Even with stretched budgets, there should be guidelines for assessing security maturity and standard percentage-of-IT spend guidelines. Trustees should have to justify not meeting these minimum criteria and quality rather than quantity can be addressed later. First get the spend up, then worry about optimizing. The potential also exists to pool resources and to use third parties for efficiency and critical mass as other private sector industries (such as insurance and banking) have done or to work with other parts of the government.”