Strengthening cyber security in the healthcare sector
Following the announcement that “The Department for Digital, Culture, Media and Sport (DCMS) has put up £500,000 to support small and medium sized businesses in the healthcare sector strengthen their cyber security”, Tracey Hannan-Jones (Security Sales Consultant at Phoenix) takes a look at what this means for you.
“We live in an interesting time don’t we. In 2017, we saw WannaCry and the attack on our treasured NHS, which we dealt with and continued to fight the good fight. However, this global pandemic, has seen the unscrupulous threat actors heighten their threats in an attempt to steal intellectual property and personal identifiable data. As we continue to keep our NHS services running, help in the race for a vaccine and in doing so, cement the wealth and kudos of doing so, this is creating a new heightened landscape to steal research data.
The DCMS funding has been designed to support the costs for consultancy and certification for Cyber Essentials, which will ensure that smaller organisations can receive all necessary guidance and support to get accreditation.
The funds can be offset to look at your organisation’s cyber security risk posture and assist in the development and implementation of a business continuity plan. However, the funding available may only be enough to begin the processes.
Why Cyber Essentials?
There are two versions and they kick-start your journey into cyber security. The below diagram demonstrates risk maturity:
As you can see, over and above your entry point of keeping the lights on, the next step on the rung to fighting cyber criminals is Cyber Essentials, followed by Cyber Essentials Plus.
What’s the difference?
Cost, resource, requisites….
- Cyber Essentials [Basic] is a self-certification process – you supply answers to an IASME certified questionnaire (with evidence) and the application is marked by a certification bodies – Phoenix works with EvolveNorth. Our service additionally includes a pre-review prior to submission to ensure your submission is right first time and avoids rejection and the need to pay again.
- Cyber Essentials [PLUS] involves an external, independent vulnerability scan. This means that one of our certification bodies will visit your office and perform a test that is in line with the Cyber Essentials requirements. Every certification body will have the same test process. We work with you to ensure that the hidden ‘gotchas’ are known, for example, not patching a critical server within 14 days of its release can results in a CE Plus fail, and you have to start it all over again!
What does it cost?
Unlike Cyber Essentials, which starts at £300+VAT for self-assessment, Cyber Essential Plus is priced differently and boils down to these 4 elements:
- Number of employees
- Number & configuration of workstations
- Number of offices
- Complexity of network
We’ve got ISO 27001, so I don’t need Cyber Essentials – do I?
Well, yes and no – it really depends on if your organisation is requesting that you have Cyber Essentials certification. While ISO 27001 (see above maturity risk diagram) is a more comprehensive and thorough certification across 114 controls (vs. Cyber Essentials five), Cyber Essentials is designed to ensure that the core elements of your security are in line with the NCSC’s standards – so having ISO 27001 does not guarantee compliance nor trump Cyber Essentials.