STAGING

Cyber risks are “widely underestimated”

Cyber risks are “widely underestimated”

December 4th 2024

The cyber risks facing the UK are “widely underestimated” and require collective action against an increasingly complex array of threats, according to Richard Horne, chief executive of the National Cyber Security Centre (NCSC).

Speaking at the launch of the NCSC’s Annual Review, Mr Horne said:

“Hostile activity in UK cyberspace has increased in frequency, sophistication and intensity… What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face, and the defences that are in place to protect us.

 

“We need all organisations, public and private, to see cyber security as both an essential foundation for their operations and a driver for growth. To view cyber security not just as a ‘necessary evil’ or compliance function, but as a business investment, a catalyst for innovation and an integral part of achieving their purpose.”

Rise in number and severity of attacks

The review reveals a worrying rise in the number and severity of cyber incidents. This year the NCSC received 1,957 reports of cyber attacks. These were triaged into 430 incidents requiring support, an increase on the 371 last year. Of these incidents, 89 were nationally significant, 12 of which were at the top end of the scale and more severe in nature (which is a three-fold increase on last year).

NCSC says the UK faces “real and enduring threats from hostile states and cyber criminals targeting our critical national infrastructure.”

Ransomware attacks continue to pose the most immediate and disruptive threat, with some state-linked cyber groups now targeting the systems that national infrastructures rely on. Cyber attacks are increasingly important to players in Russia and China.

According to the report:

“Any organisation relying on digital technology, directly or through its supply chain, is at risk of a cyber incident. The majority of cyber attacks are untargeted and opportunistic in nature. Criminals will exploit weaknesses in an organisation without any regard for the sector it operates in, its size, or who is impacted.

 

“Despite how they are frequently described in the media, most cyber breaches are not a result of ‘complex and sophisticated attacks’. The vast majority of cyber attacks are still based upon well-known techniques exploiting commonly understood weaknesses. This means that organisations employing basic cyber security standards, such as Cyber Essentials, can successfully defend themselves from the most common online threats. Some cyber attacks are highly sophisticated, and these are usually conducted by hostile foreign states for espionage or wider state objectives.”

Implications for social care

Many health and social care providers are entrusted with sensitive, which makes them a prime target for cyber gangs seeking to steal this information for financial gain.

Sharing this kind of data with other professionals via common online channels and platforms is essential to good care – but it also increases the risk.

Poorly protected networks can serve as gateways for cybercriminals to infiltrate health and social care organisations.

Anne Keast-Butler, Director GCHQ, highlights the impact of one significant attack on the NHS – which impacted admissions and discharge and therefore affected social care.

“The ransomware attack on Synnovis, and the impact this had on thousands of procedures and appointments across six NHS trusts, illustrates why – in our increasingly interconnected world – we must remain ahead of the threat.”

As the digital transformation of health and social care advances, so do the vulnerabilities, making robust cyber resilience a non-negotiable priority.

Positive progress

Despite these challenges, there are encouraging signs of progress. Over 80% of care providers are now registered on the Data Security and Protection Toolkit (DSPT), a vital resource for assessing and improving data protection arrangements. This represents a significant milestone in strengthening the sector’s cyber resilience. However, as Michelle Corrigan, Programme Director at the Digital Care Hub, notes:

“The challenge now is to ensure that care providers are putting good data and cyber security practices in place every day.”

The DSPT’s growing adoption indicates a positive shift in awareness and proactive management of data protection. Organisations that use the toolkit not only improve their cyber defences but also build trust with the people who rely on their services.

Michelle Corrigan emphasises the need for a cultural shift in how care providers approach cybersecurity:

“Cybersecurity is not just about technology—it’s about protecting the dignity, privacy, and safety of those who depend on our care services.”

Access free support on data protection and cyber security for social care.

 

View all News