This best practice is actually called
“staff training” or “incident response training,” but “human firewall” really
embodies how seriously healthcare organizations should take the thorough and recurring
training of all staff, especially those on the front lines: The IT help desk.
At the very least, the IT help desk
staff should be well-trained and informed in all aspects of cyberattack
strategies, tactics, and your healthcare organization’s protocols for response.
healthcare-specific cybersecurity solution protects you from hackers and your
own security shortcomings. Learn more
Here are a few statistics to
illustrate why it’s so important to train employees in cybersecurity awareness:
- 95 percent of all attacks on enterprise networks were
the result of successful phishing emails, according to the SANS Institute
- 97 percent of people are not able to identify a
sophisticated phishing email, according to Intel
“We see a lot of
companies putting a tremendous amount of energy into protecting themselves from
external attacks, but insiders are really the bigger threat,” says Sensato
CEO John Gomez.
Most employees now have company email and
internet access through computers, laptops, tablets, and phones. Yet, few
organizations actively train all employees in the most basic internet, email,
and text hygiene practices.
Most Vulnerable Attack Vector: People
“We spend so much time chasing the latest
technology and promising new shiny solutions, while neglecting our most
vulnerable attack vector – people,” noted Gartner Vice President and
Distinguished Security Analyst Avivah Litan in her December 2016 blog post.
It’s not that employees are necessarily
looking for ways to compromise your cybersecurity for their own nefarious
purposes (though some may be—we’ll address that later). Rather, they are more
likely to fall prey to common attack ploys like Trojans, phishing, and smishing.
Careless and untrained employees can endanger
your entire organization by:
infected emails and clicking on malicious attachments or links
sensitive information on social media channels and within their social/family
disposing of/destroying sensitive material
their laptop, table, or phone
The Dell End-User Security
found that “72% of employees are willing to share sensitive, confidential or
regulated information.” Why? They were just “trying to do their jobs as
efficiently and effectively as possible.”
Then there’s the other type of employee, the
smaller but just as dangerous portion who actively steal data for monetary gain
or access to your systems simply to destroy them.
“We’re all very well trained to look at the external threats,
but what we actually see in the field is that most people stealing information
data from an organization are insiders,” warns Gomez. “Insiders are especially
dangerous precisely because we trust them. You may see an employee accessing drives
or data they don’t normally access for their job, but ignore that because you
know they work here and they’re properly logged in, etc. But if you saw that
same activity being performed from outside of your company, all kinds of alarm
bells and whistles would go off and you would not ignore it.”
Doesn’t Come from Books, Lectures
Training could mean the difference between a minor
inconvenience and complete destruction, or, worse, the endangering of your
patients’ health and lives.
Now, let’s be clear about what we mean by “training.” We’re
not talking about sitting all employees down in endless, droning seminars and
putting them to sleep. The only type of training that truly “sticks” is active,
engaged, continual, and cultural.
That involves having cybersecurity experts train and drill IT
staff and other employees in data security. The best learning tool is
experience, and you don’t want your staff’s first experience of a cyberattack
to be during a real attack.
Sensato recommends cybersecurity tactical simulations, run
much like disaster drills used by hospitals, first responders, law enforcement,
and the military. This gives your entire staff a chance to enact your incident
response plan, discover any gaps in the plan, and build the type of “muscle
memory” that’s critical to successfully surviving an actual attack.
Read about one company’s real experience with the
speed and violence of a cyberattack.
If incident response drills for the entire staff are not
possible, every person who has access to your networks should at least have an
understanding of phishing, smishing, and other tools attackers use to
For example, do your employees, and especially your IT help
desk, know that there is an entire class of attacks that require you to reboot
your computer, so they deliberately do things to slow it down and create error
messages that prompt you to do a reboot?
“What’s the first thing you do when your computer is bogging
down, the first thing most help lines tell you to do? Reboot. This is true even
of medical devices,” says Gomez. “Attackers
know that, so you can bet that, yes, it’ll be working fine after you reboot and
you’ll have no idea that you’ve just been compromised. This is why we should
really be more invested in training our first line of defense – employees and
It Does Make a Difference
If employees are trained to call the
IT team, and the IT help desk is trained to take those calls seriously and look
for patterns, many attack attempts can be thwarted. According
to PhishMe, when
employees are well trained and phishing tests are routinely administered, an
organization’s susceptibility to a phishing attack is as low as 5 percent.
“We know that planning and training for cybersecurity can
seem like a huge and impossible task, so we encourage every healthcare
organization to simply start with the basics, but definitely start,” says
Gomez. “Your employees are your first and best line of defense, and the logical
place to start.”
MD-COP will secure your data, devices, and
network from targeted and “side effect” attacks. Act quickly.