However, for under-30s, some of the highest rates of cybersecurity best practices occur in the healthcare and pharmaceutical industry.
“Cybersecurity is highly important for the healthcare workforce, primarily due to patient welfare being an essential consideration. Furthermore, there is the need to protect intellectual property related to patient data/records, and pharmaceuticals,” says Matthew Handler, CEO of the Americas for NTT Ltd. “It is demonstrably possible for connected medical equipment to be breached, and for healthcare organizations’ IT to be used as a bridge to breach this equipment. Because the stakes are higher within the healthcare industry, it isn’t surprising that our recent Risk:Value 2 report found higher rates of cybersecurity best practices in this field.”
Healthcare executives should consider cyberattacks a clear and present danger to patient safety. There are recent examples of ransomware attacks that have disrupted medical care in hospital settings, Handler says, so it’s a crucial patient safety issue.
Not all systems in healthcare are based on IP (internet protocol), Handler says. Some use non-standard or operational technology protocols, and these systems are not always updated or patched in a timely fashion. This can lead to vulnerabilities that attackers can exploit. “Of course, IP-based systems in healthcare can be breached as well, and used as a bridge to other connected systems––such as medical equipment,” he says.
Healthcare institutions can minimize their target value to cyberattacks by conducting regular risk assessment exercises and identifying avenues to possible exploitation.
“Because most of today’s cyberattacks target people, not machines, it can be as simple as rigorous email training. The majority of intrusion efforts in the healthcare industry begin with email-based “phishing” attempts,” Handler says. “Routine risk assessments allow healthcare organizations to allocate the right level of investment for protecting their most valuable assets. Because email-based attacks are the most common gateway, healthcare organizations should create people-based training. Define the threats, define the targets, and create training and awareness programs, which address how these cyber threats are carried out. It’s not just about protecting data, but patient safety as well.”
Generational differences in attitudes toward cybersecurity
- Under-30s are more likely to consider paying a hacker’s ransom demand (39%) than over-30s (30%). This may be due to an impatience to get systems back up and running, or a greater knowledge of bitcoin and other cryptocurrencies.
- Growing up in a technology skills crisis, 46% of under-30s are worried their company doesn’t have the right cybersecurity skills and resources in-house. This is 4% higher than for over-30s.
- The desire for flexibility and agility could be affecting attitudes to incident response. Under-30s estimate that a company could recover from a cybersecurity breach in just 62 days––six days less than the time estimated by older age groups (68 days).
- Younger workers are more accepting of personal devices at work than their older counterparts; 8% fewer consider them a security risk. However, they’re more concerned about the Internet of Things (IoT) as a potential risk (61% compared to 59%).
- Eighty-one percent believe cybersecurity should be an item on the boardroom agenda, compared to 85% of over-30s.