September 4, 2024 Assessing cyber risks
In September 2024 the National Data Guardian and NHS England jointly announced a shake up to the way in which cyber assessments were to be carried out across health services. The decision, to transition from the existing model to the National Cyber Security Centre’s Cyber Assessment Framework (CAF), was taken in the light of the rapidly changing landscape of technology and cyber threats. This, the boards felt required the more advanced approach the CAF provides.
With CAF available not only for health organisations but also for any organisation, what are the benefits of this cyber assessment tool? Perhaps most importantly the framework has been designed around a flexible outcomes-based approach. This enables organisations to apply strong information governance and cyber security principles which best meet the needs of their business. As the National Cyber Security Centre (NCSC) comments: “Organisations understand their own business better than any external entity, and should be capable of taking informed, balanced decisions about how they achieve the outcomes specified by the principles.”
This outcomes-led approach also helps to move organisations away from a tick box ‘pass or fail’ mentality and towards the development of a suite of approaches which will best enable them to counter existing threats. The flexible nature of the programme also helps organisations to move swiftly to counter new threats as they arise.
The cyber assessment framework is designed around four core areas, namely: managing security risk, defending against cyber attack, detecting cyber security events, and minimising the impact of incidents. Each of these areas are supported by a number of principles, which then drill down into delivering an understanding of how that principle plays its part in cyber security defence, what factors should be considered in creating that defence, and what defences might be put in place.
For example, one of the principles in the first managing security risk area is that of governance which the framework defines as: “Putting in place the policies, processes and procedures which govern your organisation’s approach to the security of network and information systems.” This then drills down into areas such as board direction, roles and responsibilities, and decision making.
Cyber threats shouldn’t be taken lightly. The National Crime Agency (NCA) reports that worldwide ransomware incidents doubled in 2023 compared with the previous year. If you add in other cyber-dependant crimes such as phishing, distributed denial of service, malicious e-mails, and data breaches, some 24,000 cyber dependant crimes were reported to Action Fraud in the UK in 2023. And although not all cyber-crimes are reported, the NCA’s estimate of some 22% of UK businesses being affected by cyber-crime last year should give every organisation pause for thought.