Social Care sector under attack

It’s probably an understatement to say that it’s been a tough couple of years in the social care sector – but you may not expect additional challenges to care homes to be looming from criminals spreading their own form of viruses and disruptive actions. Any business under pressure is especially vulnerable to cyber crime and that’s why we’re ramping up support to care home and providers in the South West.



So why specifically do we think that cybercrime is a threat to this sector? We know of course that from government figures, around two in five businesses spot an attempted cyber attack each year, but what makes a social care business particularly interesting?


Firstly, there’s something about the nature of the workforce. Verizon’s data suggests that 85% of breaches last year were as a result of human factors – they happened because a person got something wrong, rather than because a system was vulnerable. So training your people feels like a great safeguard - but this is more difficult where there’s a constant flow of staff. Skills for Care suggests a quarter of workers are on zero hours, and 30% of the workforce leave their jobs each year. Added to that, there’s growth: as the population ages, this sector will require a third more people by 2035, or around another 500,000.


Secondly, there’s a decentralised approach, because most adult social care organisations (around 85%) are small or micro organisations. 38% of providers have four people or less. It’s tougher to claim that cyber is someone else’s problem if there are only four of you… with no centralised IT team, you need all the help you can get.


Thirdly, the focus on cybercrime has probably slipped in many of these businesses. Staff have been busy with life and death matters, and The Care Quality Commission confesses that the focus of inspections has rightly been on matters like infection control over recent months. But scrutiny will return to the cyber resilience of organisations, and they’ll be looking at the backup and contingency plans in place, as well as the existing data security measures. So there’s twice the reason for businesses to re-engage: not just because their inspectorate will be taking a keener interest, but because they probably do need to refresh and renew their approaches.


Fourthly, we know that the wider healthcare sector has come under increasing attack in the last year or two, with various alerts and proactive measures from by the National Cyber Security Centre. Personal data is valuable, and these providers hold a lot of it. But for small businesses, it’s more likely that their IT is a bit creaky – they may be running on old operating systems, they have minimal support, and when resources are stretched, their focus is on their clients rather than the back office.


As a result, the social care sector is almost a personal target. Scant time for cyber training, busy people who are focused elsewhere, and a lack of investment in protective measures. Plus, their services are pretty critical, so it’s not like they can shrug at a ransomware demand and re-start their systems from scratch. Patient safety is at stake.


We know that in the healthcare arena there is already a lot of support. The Data Security and Protection Toolkit is encouraged, although not mandated everywhere. Digital Social Care has a network of local support providers who can provide advice, as well as a wealth of useful online material. And the Care Provider Alliance has some great signposting, with its continuity planning documents focusing particularly on the need for cyber resilience.

So where does SWCRC fit in? Well, let’s start by saying that we’re not for profit, and want to give you what you need, so if you don’t need anything, that’s fine too.


But here’s our core aim. We have a free membership: join us and we’ll give you nationally-recognised guidance which shows you the basics that you need to get safe, and we’ll contact you to talk you through anything that you need. We’ll also regularly update you with the latest scams and threats, so that your teams know what to avoid.


That’s not all. We can offer some additional and rather unique services. Through our partnership with local universities, we can get an ethical hacker to look at the security of your systems or to review your business continuity plans, at a hugely affordable rate. We can provide referrals for free face-to-face training and resources that you may be unaware of. And, if the worst should happen, we can find you a reputable local company who has the right accreditations to help – rather than falling back on a google search. As a police-led venture, we’re not here to make money out of you, we’re here to make you safer. And if we can do that for free, it feels like a win-win.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the South West is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the South West provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the South West does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the South West is not responsible for the content of external internet sites that link to this site or which are linked from it.