How prepared to manage threats are chief information security officers (CISOs) and others responsible for data security in business organizations across the United States and the United Kingdom? If the results of a new survey are to be believed, not really all that prepared.
As Healthcare Informatics Associate Editor Heather Landi reported yesterday, the results of a recent survey on the subject have just been released, and they are cause for concern. As Landi reported, “A recent survey of IT information security decision makers found that 68 percent of respondents have, at best, only modest confidence in their ability to manage digital threats, and a quarter of healthcare information security decision makers cited little to no confidence in their ability to assess digital risks. RiskIQ, a San Francisco-based digital threat management solutions company, released new independent research on the state of digital defense, with the predominant finding being organizations believe their digital transformation efforts have outpaced security capacity. The survey, called the ‘2017 State of Enterprise Digital Defense Report,’ includes a range of industries, including healthcare and pharmaceutical, as well as financial services, banking, technology, retail, manufacturing, publishing and media, entertainment and hospitality, and consumer goods.”
As our news article noted, “The research, conducted by IDG Connect, a Framingham, Mass.-based research company, examines the current landscape of digital threats and the maturity of defenses to protect an organization’s digital presence. The findings quantify the security management gap and business impact of external web, social, and mobile threats. Survey respondents included 465 IT information security decision makers in organizations with more than 1,000 employees in the U.S. and U.K.” Further, in conducting the survey, RiskIQ researchers wanted to get IT security leaders’ perspectives on the challenges facing all industries, and how well they felt they were doing in rising to meet those challenges.
Here's the most worrisome part of all of this. As Landi reported, “About a third of respondents have significant confidence in their ability to improve, but it discovered a very significant number of respondents—about a fifth—that have zero to little confidence that things are on the up. And over two-thirds (68 percent) have, at best, modest confidence to manage digital threats. What’s more, 69 percent cited no to modest confidence to mitigate or prevent external digital threats, and 70 percent of respondents have no to modest confidence in reducing their digital attack surface, expressing the least confidence in threats against web, brand, and ecosystem assessment.”
And, when it comes to healthcare, “Respondents in the healthcare and pharmaceutical sector felt particularly at a loss with almost a quarter (24 percent) saying they felt little to no confidence in their ability to assess digital risks, according to the survey findings.”
Now, let’s put this into perspective: while 24 percent of respondents in the healthcare and pharmaceutical sector felt “little or no confidence in their ability to assess digital risks,” across industries, 70 percent of respondents said they felt “no to modest confidence in reducing their digital attack surface,” while 69 percent “cited no to modest confidence to mitigate or prevent external digital threats.” To be fair, the IDG folks did not offer a trans-industry statistic that was an apples-to-apples comparison with that 24-pecent figure from healthcare. But clearly, the levels of confidence around data security are low across industries. What’s more, one must also keep in mind that British healthcare organizations are different from American ones, in that they are governed by the National Health Service of the U.K., which is very different from how American hospital organizations are governed.
Other results from the survey probably speak to the size and scope gap across industries, not only healthcare. As IDG’s summary noted, “Larger companies felt that they were better able to update control systems and collaborate across departments, perhaps showing the benefits of scale”; while “Smaller companies felt best able to inform others about the status of external attacks, perhaps reflecting the benefits of having a smaller base to worry about.”
Still, the IDG folks noted that “Digital threat management appears more progressive among organizations in financial services, manufacturing, and consumer goods, as expressed by overall expenditure.” That analysis matches everything we know about the stages of development of data and IT security across different industries, with the healthcare industry coming late to the issue—decades after the banking and financial services industry, the consumer retailing industry, and even the transportation and hospitality industries, had already moved to strategize around and implement comprehensive data and IT security strategies.
And here’s an important element in all this. “When it comes to threats outside the firewall—often related to assets that are not easily under control of IT or not owned by the company –digital threats appear more difficult to discover, validate, assess and remediate in a timely manner,” the report’s researchers note. “Most likely, those challenges are still being underestimated and under-reported. There is, roughly speaking, a bell curve in opinions as to the ability to address threats with the highest number feeling that their ability to improve execution of digital defense capabilities is about as hard as it was the previous year. Many organizations still openly admit that they have great difficulty in dealing with external threats, and a significant minority are at the extreme end of the scale. All are being affected across several digital channels,” they note. “Breaking these numbers down by demographics, retailers were most confident of their ability to withstand external threats while large organizations were also more confident than the rest, suggesting that they benefit from the larger budgets and manpower at their disposal. But generally,” they add, “considering the growth in CSO/CISO appointments, rising awareness of the seriousness of security threats, new and incoming privacy governance rules such as GDPR, the increase in state-sponsored cyber-attacks and prevailing high-profile media stories on affected organizations, the overall finding towards digital defense maturity is low.”
It was also helpful to get a sense of which specific types of threats assume what levels of scope, in this. Survey respondents told IDC researchers that the following threats had “a frequent and significant impact on their organization in the past 18 months”: malware, ransomware and browser lockers (77 percent); targeted attacks (67 percent); credential or IP theft or sale (64 percent); mobile app exposures and unknown/unauthorized, or rogue company mobile apps (63 percent); domain infringement or DNS exposure or redirect (61 percent); and website infrastructure exposures—unknown, rogue sites, components, and apps (61 percent).
Moving forward—with outside help
So, what does all this mean for healthcare IT security leaders, going forward? These results speak to the historical background and context of where the leaders of patient care organizations in the U.S. are right now. And one of the key things we’re finding out at Healthcare Informatics, as we interview healthcare leaders for our publication and bring them onto discussion panels at our summits that make up our Healthcare Informatics Health IT Summit Series, is this: healthcare IT leaders are waking up fast—propelled forward by spectacular cyberattacks like WannaCry and Petya/Not Petya, and attacks on individual health systems and health plans—and are beginning to ramp up now in a serious way to meet the future.
What we’ve found in our interviewing and in our moderating of panels at our Summits, in the past year, is that awareness is accelerating in this are now, and so is activity, even as many healthcare IT leaders find themselves rather behind the proverbial eight ball, at this stage of the game.
There was some (relatively) good news in this survey’s results. According to IDG, “Forty-four percent of organizations plan to increase digital defense investment by 15 to 25 percent, and 14 percent will increase tool and service expenditure by more than 25 percent; both U.S. and U.K. have similar spending expectations,” IDG noted. And organizations are using an average of 35 tools to “thwart web, social, and mobile threats.”
In addition, the report’s authors noted, outsourcing some of the tasks involved in data and IT security is becoming more popular, across industries. “Across the board, respondents are today outsourcing well over a quarter of digital threat management tasks (29 percent),” they note. “And they plan to do more: in a year, the percentage will rise to over 33 percent, and the year after that, it will rise further to 37 percent—representing a 12.95 percent compound annual growth rate…. In many respects, the outsourcing of some digital defenses to MSSPs”—here, they are referring to “managed security service providers”—most commonly referred to in the U.S. as security operations centers, or SOCs”—is occurring as these providers are adding such services to provide value to their existing customers. Service providers that offer endpoint security or security information management services are incorporating threat intelligence to their analysis and reporting processes,” they add.
It’s good to get information, insights, and perspectives on these data and IT security issues that cross industries—and in this case, countries (per the U.S. and the U.K.). And while on the other hand, finding out that some other industries still lag behind in terms of ramping up to meet the intensifying data and IT security threats, might be slightly heartening, that is no excuse for laggard organizations to tarry. The risks are simply too high—and rising by the day.
But IT leaders in all industries are learning now, and learning relatively fast. There’s no time in healthcare to dawdle around healthcare IT security work, but reading the results of surveys like this one does provide context and framing for the challenging journey ahead—and that is a good thing.