Neither Covid-19 nor cyber-criminals care who gets infected and suffers

I like Davey Winder’s writings, and I especially like the CV19 initiative…:

[…] There is not empathy, no community spirit, no moral compass by which such people navigate a global health crisis. All of which sadly makes the NHS a very attractive target right now, and which is why I was somewhat surprised to discover that NHSX, which is committed to driving forward the digital transformation of health and social care, has hit reverse as far as cybersecurity resilience checks are concerned.

NHS Trusts have been given an extra six months in which to submit their data security and protection toolkit (DSPT) self-assessment.

The NHS Digital announcement states that it’s “critically important that the NHS and social care remains resilient to cyber attacks during this period of COVID-19 response”.

The DSPT is one of the ways that trusts can be sure they are doing just that. While they can continue to submit before the extended deadline of September 30, they no longer have to.

It’s a difficult one, as I fully understand the stresses that all aspects of the NHS are under, including IT in all its guises.

I get that stretched resources need to be prioritised and that nothing can be allowed to impact negatively on the COVID-19 response effort. And therein, dear reader, lies the Shakespearean misquotation. A successful cyber attack, be that of the ransomware, Distributed Denial of Service (DDoS) or network infiltration type, will surely do just that.

The NHSX acknowledges that “the cyber security risk remains high,” and demands all organisations “continue to maintain their patching regimes”.

So, here’s the thing: with Trusts, CSUs and CCGs all having to continue to comply with the strict 48 hour and 14 day requirements relating to the acknowledgement of and mitigation for high severity alerts issued by NHS Digital, how does that play out in an already stressed and stretched IT environment?

Flicker of hope

Coronavirus, like the cyber criminals I have already mentioned, cares not who gets infected nor who suffers as a result. IT teams are likely going to be stretched even thinner in the coming days and weeks. I do, as it happens, have a solution and it comes in the shape of a group of cybersecurity volunteers known as CV19.

[…]

Original article here