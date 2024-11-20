Healthcare organisations see employees as weak link in cyber defences; workers admit they are disengaged in training

November 2024 by e2e-assure

New research by Threat Detection & Response provider, e2e-assure, reveals that the majority (76%) of cyber risk owners in Healthcare think that most cyber attacks come through a lack of employee diligence and over a quarter (28%) of Healthcare employees admit they are currently disengaged in the training offered by their company.

This comes as the majority (72%) of Healthcare organisations said they are concerned about the rise of new technologies such as AI and the threat it could pose to their organisation. 86% of cyber risk owners in Healthcare say they’ve worked at an organisation that has experienced a cyber attack, up from 77% last year.

Comparing this year’s findings to e2e-assure’s 2023 research, cyber risk owners in Healthcare say resilience is now at the top of their agenda (49%), up from 36% last year, but the findings reveal AI could be about to unravel the years of hard work already spent building it.

While 88% of Healthcare cyber risk owners are confident in their AI policies, 50% of Healthcare workers are either unsure as to whether their organisation even has AI policies in place (32%) or are unaware of what they are (18%).

With 41% of Healthcare workers using ChatGPT or Copilot at least once per week, and 41% saying they have personally been a victim of a cyber attack at work, the apparent disconnect around knowledge of AI policies goes some way to explaining why.

Given that employees are often the first line of defence against cyber criminals, education and training are integral for Healthcare teams in mitigating the potential impact of breaches, but the research reveals a worrying lack of engagement in the training provided. More than half (52%) of workers said they are only ‘somewhat engaged’ and over a quarter (28%) are ‘not engaged’ at all.

It’s no surprise then, that 76% of cyber risk owners in Healthcare agree most attacks are due to lack of employee diligence.

This news comes as the UK Healthcare sector has faced an onslaught of cyber attacks over the course of the last 12 months, including the ransomware attack on pathology supplier, Synnovis, which led to the cancellation and postponement of thousands of operations across London hospitals.

When Healthcare employees were asked about the consequences of falling for a cyber attack, 27% said they receive training and a disciplinary if they cause another breach and a quarter (25%) said they are required to just attend training. However, nearly a third (32%) of Healthcare employees don’t actually know what the associated consequences would be if they caused a cyber breach, further calling into question the efficacy of training provided.

Furthermore, the data showed that Healthcare employees are not receiving the style of training that resonates with them. Employees in this sector are less likely to receive real-life scenario training (38%), despite a huge majority (82%) of workers stating they would be more engaged if they did.

Rob Demain, Founder and CEO at e2e-assure, said:

“Our research paints a picture of a sector under immense pressure as cyber attackers advance their threat tactics and open AI tooling gradually cements its way into everyday operations.

“This sector’s reactive approach to cyber defence and employee training is

serving to disengage employees and increase cyber risk. To achieve the resilience cyber risk owners desire, a proactive approach to cyber security must instead be taken and training tailored to employee needs.”

The findings show it’s vital for cyber risk owners to start looking at their resilience picture from the ground up, with four key recommendations emerging:

1. Tailor training to engage employees

2. Create a security awareness culture

3. Use automation to reduce human error

4. Have the right provider in place