Employees are often labelled as being the weak link in the security defensive cybersecurity chain. But our expert columnist Davey Winder argues that, far from being the problem, the insider is actually part of the solution.

Saif Abed, a founding partner at cybersecurity consultants AbedGraham Healthcare Strategies, recently conducted a poll on Twitter which posed the question: “Who/what do you think is the biggest vulnerability for a hospital – staff or IT suppliers?”

OK, so I know that a Twitter poll is hardly the most statistically valid method of dipping your toe into the public opinion waters, but given Abed has that rare follower demographic that is a mix of health and information security professionals, I thought it worth reporting.

A staggering 79% of those talking part said staff. “People still overwhelmingly think people are the weakest link when it comes to cybersecurity,” Abed reflects. “We have to keep pushing to change perceptions to show that people can be the strongest link.”

I’m now going to toss another bit of research into the debate fire, this time the rather statistically acceptable 2019 Data Breach Investigations Report from Verizon. Interestingly, this found that healthcare is the only industry sector that maintains a record of more insider (60%) than external (42%) cyber attacks.

This would appear to back up the ‘staff are to blame’ rhetoric. But I’m not convinced that is actually so.

OK, so let me start my counterargument by defining what an insider threat is, and importantly what it is not. The broadly accepted definition of insider threat revolves around malicious acts against an enterprise, committed by someone inside that enterprise.

Putting the emphasis on malicious

I have absolutely no problem with that, as long as the emphasis is on ‘malicious’: a disgruntled employee seeking some form of revenge, a cash-strapped employee offered easy money in exchange for data (or a login that leads to it), even at the extremes a nation-state sponsored infiltration of the organisation to exfiltrate data or destabilise an economic sector.

I envisage that many readers are muttering something about not being ridiculous at that last example. But it is equally ridiculous, is it not, to include an employee who is conned into handing over data, or loses a laptop/mobile containing sensitive data, or even disposes of records in an insecure manner in that definition of an insider threat? The latter examples are ones of accidental or unintentional loss and not as a consequence of malicious intent.

The threat is not the insider, but rather the lack of security and privacy awareness of the employee. And that reaches much higher up the organisational ladder. It goes up to the board that oversees the implementation of security policy. It goes beyond to government bodies that determine budgets to enable, or not, proper training to achieve that security policy implementation in a way that can be described as effective.

The human firewall

I would argue the NHS is fundamentally no different to any enterprise when it comes to turning staff into another security layer. This is the human firewall concept that pops up every now and again: deploying proven security awareness training methodologies alongside clearly defined security parameters and responsibilities will reduce the level of careless mistakes, as well as making life harder for truly malicious insiders.

Jenny Radcliffe knows more about social engineering – the practice of manipulating humans rather than machines in order to gain access to data – than most experts have forgotten. Perhaps best known by the ‘people hacker’ epithet, she is the founder of Human Factor Security and a renowned public speaker on the subject. Who better, then, to approach for some common sense on the insider threat within the NHS?

“Large and complex organisations will always be at risk from human based threats, and this makes the NHS particularly vulnerable due to its size, structure and reach.”

Radcliffe told me “it is often far easier to use people as the access key, than attempting to hack systems and technology.” She accepts that hardening security by training or operational controls “will always be extremely challenging for such a disparate and devolved entity” as the NHS, but argues that it is nonetheless “vital if there is to be any attempt to try and mitigate the risk from the thousands of individuals that make up the human side of the operation on a national basis”.

Focus, attention and persistance

During our conversation, Radcliffe was keen to emphasise that the awareness of human risk, and therefore ongoing employee education, are key here. She was also the first to admit that “implementing an effective education programme requires focus, attention and persistence, as well as local adaptation and cultural elements, which are difficult to define and challenging to implement in an effective way, in even a small and simple target organisation”.

Technical controls present their own difficulties in maintenance and roll out, no doubt, but Radcliffe says they are still far easier to introduce and maintain than the significant challenge of addressing the mindset and behaviour of the huge and diverse body of people who make up the human element of the NHS.

“Fundamentally though, without doing this effectively and purposefully on an ongoing basis, [the NHS] is, and will remain, acutely and undeniably open to both specific and more general human facilitated attacks,” Radcliffe concludes, “with the potential to cause significant and widespread harm”.

That more than 100 NHS boards have completed their GCHQ accredited cybersecurity training some two years on from the WannaCry attack is, frankly, not good enough. Not just because – as I’m already on the record as saying – I believe the NHS Digital target for mandatory staff information governance training isn’t being taken seriously enough.

But also because it won’t, in my never humble opinion, instil the culture of security awareness that needs to happen if real change for the better is to be achieved across the NHS.

If they are properly trained, adequately motivated, rewarded for getting things right instead of chastised for mistakes that can be traced way back up the management food chain, then NHS staff can become a layer of insider strength rather than threat. This has to start somewhere, sometime: how about it starts right here, in your NHS trust and right now?