By Monte Ratzlaff, Director, Cyber Risk Program, University of California, Office of the President/UC Health
What if I told you that humans, not technology, are the most critical aspect of securing your organization? Sure, we need security technology, but it’s the humans working in our organizations that can either be the source of a breach or the ones who prevent it from occurring in the first place.
According to Privacy Rights Clearinghouse, in 2019, there were 28 reported breaches related to “Unintended Disclosure” affecting nearly 70K healthcare records. Also, the 2019 Verizon Data Breach Investigations Report showed that human errors and social engineering attacks were amongst the top three categories of actions that lead to breach incidents. The human element of attacks is very real.
As the saying goes, “you’re only as secure as your weakest link.” Many in the information security industry have dismissively used this saying when referring to “users”. However, the “users” are now the last line of defense in the current threat landscape. Long gone are the days where organizations relied solely on perimeter security to protect their digital assets. Since humans play the most important role in the security of our organizations, we as security professionals and leaders must recognize this and further invest in equipping our workforce to be our strongest defenders.
Equipping the workforce to think more mindfully about security becomes even more critical in the healthcare setting where patient’s lives are literally at stake. Email, Internet browsing, cloud applications, connected medical devices, electronic medical records, bring-your-own-devices (BYOD), Internet of things (IoT)…all of these require thoughtful human interaction to maintain the appropriate level of security. How are we, as leaders, going to develop our workforce to be thoughtful and effective cyber defenders? To begin to answer that question, let’s first look at what we’ve been doing.
Many industries, including healthcare, have relied on the “death by PowerPoint” approach to information security awareness training. We require our staff to sit through a (longer than necessary) set of slides filled with “do’s and don’ts” along with reminders of regulatory penalties – sprinkled with scary, cautionary tales of those who failed to heed the warnings. This approach is just “checking the box” for security awareness training, and our workforce sees it the same way – often clicking through as fast as they can to reach the finish. Is this effective? Do we still see folks falling victim to phishing emails or clicking on pop-ups? You bet we do. Why? Because we’ve historically not appreciated the culture of our organizations and the unpredictability of user interaction with technology. We’ve taken an approach of providing facts and information that doesn’t change behavior. The approach cannot be one-size-fits-all.
Aside from the approach we take, how can we measure the effectiveness of the security awareness program? We’re faced with a fundamental challenge of measuring security awareness effectiveness. Organizations that run phishing simulation campaigns can measure how many people clicked on the bait link. This is a very helpful measure for understanding the percentage of your workforce that are susceptible to phishing attacks. However, how can we measure password re-use with personal accounts or people using insecure Wi-Fi while travelling? Without meaningful metrics it’s difficult to understand whether the content, delivery mechanisms, or other factors are, indeed, working. Conveying value from security awareness training investments is nearly impossible without good metrics. Maintaining leadership support of security awareness investments is also a challenge without metrics. So, where do we go from here?
Effective human security behaviors are those that are habit. Humans that readily recognize and properly react to cyber threats do so because information security has become a habit for them. Habits, such as, not sharing passwords, thinking twice about opening suspicious emails, or clicking on links are just a few examples of how humans can prevent cyber incidents. Although people generally want to do the right thing, changing the workforce culture into one where people habitually make good cyber choices does not happen overnight. It requires a dedicated, multi-faceted program that reaches people in ways that a presentation slide deck can’t.
Keeping the training in digestible chunks helps people retain the information. Recognizing good habits reinforces those habits and encourages people to continue those secure behaviors. Include non-technical/non-security individuals in the development of your program. We security folks are good at knowing the security pitfalls, but those who are non-technical can bring a completely new vision for awareness programs. Including cyber champions or ambassador program allows people to be a force multiplier in security communications and conveying messages to their peers. Also, people learn in different ways – some visual, some auditory – keeping this in mind when developing delivery mechanisms is key. Good storytelling is another successful technique as it engages people, connects concepts with actions, and ultimately helps instill good security behaviors.
As leaders, we can and must take an approach to information security awareness that engages our workforce, encourages good security habits, conveys value through a security-minded culture, and results in a more secure and resilient organization.