Verizon’s 2016 Data Breach Investigation Report (DBIR) revealed that accidents, not deliberate malice, accounted for almost 30 percent of the information security incidents in 2015.
These mistakes may be innocent but still affect an organization’s bottom line and reduce customer confidence. Training employees about cyber security vulnerabilities is an investment that pays off for every organization, from for-profit firms to non-profit healthcare groups.
Verizon’s report also zoomed in on the healthcare sector, with these statistics for 2015 data security:
- 32 percent of incidents in healthcare organizations were theft and loss
- 23 percent were from insider privilege misuse, seven percentage points higher than the industry average
The visible security guard at a healthcare facility’s door may give some a feeling of comfort, but does almost nothing to protect against the most damaging kind of losses — employees are 100 times more likely to lose sensitive data (USB flash drives, papers, laptops) than thieves are to steal them.
Employee training can identify to end-users the value of the information they routinely handle, and the methods used -- intentionally by thieves and inadvertently by careless employees — to undermine security.
The main ways to prevent theft and loss (the largest sector of cyber security vulnerability in healthcare) are surprisingly easy:
- Encrypt data — if stolen or lost, the devices will not reveal their secrets easily
- Reduce paper — train employees to avoid automatically printing every report, test or communication, and to be especially wary when printing patient information
- Train employees — Security awareness begins with every employee at every level
Verizon reported 34 percent of thefts were from employees’ vehicles. An additional 39 percent of thefts occurred within the employee’s work area. Train employees to take steps to safeguard data throughout their shifts.
Match privilege use and access to the employee’s job. How does your organization handle terminations, so that disgruntled employees do not later exploit their access for revenge?
Deliberate misuse is the leading cause of confirmed data breaches in healthcare, according to Verizon.
While healthcare may provide data of great value (patient records, Social Security numbers, dates of birth, addresses, and even payment information) other industry sectors have secrets susceptible to cyber security vulnerabilities too, especially:
- Financial services
- Public sector
Training staff in any sector to be more vigilant with cyber security threats takes expertise, not only within the sector but with cyber security techniques. Universal strategies include:
- Awareness programs — Get your employees to appreciate the scope of the problem, the risks to your organization and to themselves personally, and the omnipresence of bad actors.
- Leadership — Training must be from the top down, with the CEO and CIO demonstrating their own commitment to reducing or eliminating cyber security vulnerabilities.
- Policy violation — An innocent online request that may allow a security breach should always be met with a notice to the end user of the policy violation, rather than simply stopping the request without explanation.
- Feedback — Encourage end users to inquire about possible threats, such as refusing to open a suspicious e-mail but instead forwarding it to the IT department; respond to these end users with praise and encouragement to continue their vigilance.
To overcome the ever-present threat of cyber security vulnerabilities, contact Alphanumeric today to see how our employee cyber security training can synchronize with your organization’s goals.