Creating a Culture of Security to Defend Against Attacks

The Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data by Ponemon Institute has recently revealed what others have long perceived: there has been a shift in the root cause of data breaches from accidental to intentional.  While 90% of healthcare organizations represented in the study had experienced a data breach, for the first time, criminal attacks are the number one cause of these breaches.

Criminal attacks are highly targeted. When it comes down to it, attackers will stop at nothing to break into an organization. They will use whatever means necessary to infiltrate, especially if those means are low risk. It’s far easier for attackers to bypass technical controls and exploit human nature to breach an organization than to compromise a network surrounded by technical controls. Unfortunately, there is plenty of overlap between the proactive criminal and the unsuspecting employee that really adds fuel to the fire. Despite the balance of breaches shifting to criminal activity, organizations are beginning to recognize the importance of starting with employees first.

According to Ponemon’s study, the data backs this up as healthcare organizations rank employee negligence as a top concern when it comes to the exposure of patient data. Employee negligence goes far beyond the occasional lost or stolen laptop.  What about when an employee accidentally discloses confidential data?  A whopping 70% of Ponemon survey respondents admitted that careless or negligent employees are the most concerning security incidents impacting their organization, but what can be done to help?

While organizations are gradually increasing budgets and resources to protect both healthcare and business data, not enough investment is being made in human capital to address the evolving threat landscape. It’s time for organizations to start investing in a culture of security that makes employees the first line of defense.

Do your employees know what a phishing email is?  Is there a process in place for the verification of a caller’s identity?  Do you have a process in place to report security incidents? If you’re unsure of the answers to one or more of these questions, odds are you are not engaging in a culture of security.

What does a culture of security look like?

A culture of security begins with active testing and training of employees for security awareness.  Employees who know they are being actively tested have heightened awareness for security initiatives and are more apt to shut down an attempt to exfiltrate information or breach confidential client data. Buy-in for the culture of security should start at the top and from there, it’s all hands on deck.  It is the responsibility of each and every employee to contribute to a culture of security.

Exposure, exposure, exposure!

Not only should organizations implement continuous training initiatives, but they should also work to publicly reward employees who successfully respond to or report security incidents.  Create a blog post, send out an organization-wide email, post it on a bulletin board, hand out a gift card, publicly recognize employees who embrace a culture of security at company meetings… a bit of positive reinforcement goes a long way!  If you’re interested in learning more about the benefits of Social-Engineer’s security testing and training services, contact us to learn more!