Egress' "Insider Data Breach Survey 2021" — a survey of IT leaders — revealed that human error is the leading cause of serious insider data breaches. More than 80% of organizations surveyed experienced a security incident caused by a staff error. Almost 75% of organizations experienced a breach because employees broke security rules while a similar figure suffered serious breaches caused by phishing. Furthermore, researchers at Stanford University found that 9 out of 10 data breaches are caused by employee errors. And this year's Verizon Data Breach Investigations Report revealed that about 85% of data breaches involved a human element,
At least one thing is clear from these figures: Organizations must prioritize cybersecurity staff training and awareness or they will likely face an increased risk of falling victim to a successful cyberattack and data breach. At Medicus IT, we support our clients in their efforts to improve cybersecurity preparedness and response capabilities, which always includes a focus on staff education and defining of roles and responsibilities. Here are six areas you can focus on to help better educate and prepare your staff so you can reduce the likelihood that your organization becomes a statistic.
1. Prioritize cybersecurity education and training
Cybersecurity cannot be treated as an afterthought. Review of your organization's internal security policies, protocols, and best practices — as well as a review of key security-related concepts such as HIPAA — should be included as part of new employee onboarding and annual staff training.
That's the minimum. It's best to regularly revisit cybersecurity best practices throughout the year during staff meetings and in communications. Strive to keep staff current on cybersecurity trends and developments, including growing threats and new best practices.
2. Share stories of real-life incidents
An effective way to keep cybersecurity top of mind for your staff is to share reports about cybersecurity incidents affecting healthcare organizations — especially those affecting organizations like yours. This reminds staff that healthcare organizations remain a top target for cybercriminals. If the reports explain what caused the incident, use this information to reinforce your policies and protocols that are designed to help prevent such incidents.
3. Leverage training tools
There are many different tools you can use to enhance your cybersecurity training and education efforts, from webinars, to e-books, to quizzes, to online courses. One of the most effective training solutions is a security awareness phishing campaign that can be provided to an organization practice by a healthcare IT security consulting firm.
The campaign simulates a phishing attack — an online scam cybercriminals use to target victims by sending them an e-mail that appears to be from a trusted source — and tracks how employees respond. Based on the results, staff can receive increased training on how to spot and properly report suspected phishing attempts. When performed regularly, these campaigns are proven to be an effective means of heightening awareness of phishing and strengthening protection.
4. Avoid culture of blame
If your organization experiences a cybersecurity incident or a near-miss due to employee error, it's important not to default to blaming or penalizing the individual. A blame culture is likely to discourage staff from coming forward when they make a mistake or even worry that they might have made a mistake, which will further put your organization at risk. Rather, transparency should be encouraged, with mistakes or near-misses treated as a learning opportunity to help staff avoid such scenarios in the future.
5. Preach caution
Healthcare organizations nationwide are struggling with staff shortages, which is putting more pressure on employees to complete more work. With an emphasis on productivity, staff may be focused on avoiding any disruptions in their workflow and anything that may slow them down.
While such focus is important, it must not get in the way of staff taking the necessary precautions to keep your organization protected. Ensure staff understands that if they have any questions or concerns about a potential cybersecurity matter, they should stop what they are doing and immediately bring this to a supervisor's and/or IT department's attention. As the idiom goes, "better safe than sorry."
6. Conduct cybersecurity drills
Your organization likely runs one or more disaster drills annually to test your staff's preparedness and response. The subject of these drills may be a fire, natural disaster, or active shooter. Consider drilling a cybersecurity incident. The aforementioned security awareness phishing campaign is one such drill. You can also simulate other types of attacks, such as denial-of-service (DoS) and ransomware, and/or do tabletop exercises. The latter is a good way to conduct an initial cybersecurity drill as it won't disrupt operations and will give staff a better understanding of how a cybersecurity incident may play out and their role in responding to such an incident. These drills will help keep staff's cybersecurity awareness up and allow you to identify areas to target for additional training and education.
Take Healthcare Cybersecurity Training Seriously
Cybercriminals are looking for even the smallest IT vulnerability that can serve as an entryway into an organization's network. While you can — and should — leverage a host of solutions to strengthen your organization's security posture, nothing is foolproof. Staff plays a vital role in keeping your organization secure and keeping cybercriminals out. By prioritizing cybersecurity training and education, you'll put staff in the best position to do their part in protecting your organization. To learn how we help clients better ensure their staff is not cybersecurity liabilities, contact us today.
