As healthcare organizations actively think about cybersecurity and protecting themselves against cyber-attacks, it is more important than ever to focus on more than just technology and tools. People are often the key to a successful – or unsuccessful – cybersecurity strategy.
People across the world have experienced massive changes over the last several months, especially in the healthcare and technology sectors. There has been so much change that I’d bet almost everyone reading this blog has recently asked what day it was. How and where we work are just the tip of the iceberg when it comes to the changes we have all had to face.
Everyone is thinking about major shifts in virtual communication methods and organizational structures, combined with stresses like mass layoffs, longer hours, and a volatile financial market. With this underlying anxiety of an uncertain future, those of us that are still working are having to balance a business-as-usual mindset in the midst of unimaginable historical events. It is impossible to ignore the fact that everything happening in our world is having a profound impact on our psyche, productivity, awareness, and day-to-day lives. And all of these factors combined can have a significant influence on how employees effectively manage cyber threats and attacks.
The amount of known and unknown exploits in the wild that cybercriminals are employing is overwhelming, and to top it off, the threat landscape and attack surface of today have transformed dramatically. For many healthcare employees, we have had to shift to a full-time, distributed (i.e. remote) workforce. While some tech companies were already employing this type of work, many were not prepared. We know from a technical standpoint, many security issues have arisen and become widespread, including:
- Insecure home networks with Internet-of-Things appliances that have little-to-no security mechanisms
- Insecure video conferencing platforms with limited security features
- Insecure personal devices being used to access production or work-specific environments
- And specific to healthcare: HIPAA-compliant telehealth platforms being used on the aforementioned devices connecting to the aforementioned networks
But I didn’t want to solely highlight the physical vulnerabilities in technology that security teams try to fix every day. Instead, my hope is to shed some light on the vulnerabilities that emerge from our workforce, our people, and our communications to one another. There is no question that the most important security asset in an organization is its people. Many major challenges have emerged as people work in our new distributed landscape, and they are impacting our overall security. Some of those challenges are:
- Inefficient and inconsistent communication across teams
- Reinforced organizational silos and lack of transparency for security teams
- Under-reporting of suspicious activity
- Antiquated security policies due to the fast-paced transformation of technology
- Laziness or apathy in following security policies or basic security hygiene
The reality at most organizations is that IT and security teams are understaffed and overwhelmed, a theme that has been more common during the recent push to a work-from-home world. And I know that it’s been said a million times, but it’s true: security is EVERYONE’S responsibility. True security is a team sport and a friendly reminder never hurts. Now more than ever we need to stick together, and everyone needs to do their part to protect their personal information, their colleagues’ information, and their company’s information.
While I don’t have answers on how to fix every operational vulnerability that might emerge during this time, here are some ideas:
Security teams – retrain your workforce members with “meaningful” training that is pertinent to your organization. No automated trainings allowed. Don’t just stick with the what, but instead, really dig into the why. Emphasize that this matters in a way that means something to your employees, and dive into why security awareness from employees is absolutely essential. We are not just protecting systems, but we are protecting people, privacy, and in the case of health systems, lives. Meaningful training can have a latent effect on employees so that they take ownership over the technology they use. Many will have a heightened security awareness, report unusual events at a higher rate, better understand why policies and procedures have been put in place, and give security teams a clearer view into any issues that may arise. Additionally, a strong understanding of the “why” helps connect people to the bigger picture and can diminish apathetic or lazy security practices.
Deputize and empower people across various departments to keep security top of mind. I would argue that these colleagues don’t need to be in InfoSec or IT, but just need to know how to ask the right questions and bring the answers to the right people. It is crucial that you identify those that have some interest in security and create a true cross-functional team committed to enhancing it. Ultimately, the goal of having these team members is to prevent easily-answered questions from bogging down the InfoSec team’s workload. An effective InfoSec team needs time to explore important questions and vulnerabilities, and by having filters in place, the workload will be more manageable and efficient. Often times we get so caught up in the completion of tasks and the following of inherited systems and processes that we don’t take sufficient time to think outside of certain constructs in order to get to a better place. We are in a new age, so processes must change – and everyone can play a role in your overall security strategy.
Lastly, try to stop thinking in terms of us vs them, or security vs end-user. This way of thinking can have a detrimental effect on security. If employees are treated as a security liability (rather than a potential security asset), they will match that ideology. Creating a feeling of stupidity, resentment, or apathy is the last thing anyone needs in this environment, and it can create massive security holes in the organization. If employees feel disconnected or ‘beneath’ the IT team, they may be scared to come forward if a mistake happens. They may also feel resentment or apathy toward basic safeguards, or deliberately violate security protocols that were put in place to protect the organization as a whole. Rather, by treating everyone as a security asset and part of the team, you can empower them and allow them to have a voice. By giving each team member the tools they need to work effectively and recognize security flaws, you can improve the security posture of an organization, increase reporting of mistakes and threats, open a dialogue that may not have been existent before, and present a more unified cybersecurity front.
Cyber-attack risks are ever-changing and compounded with our new work landscape. Teams often need to be reminded that people are one of the most important assets we have when it comes to security strategy. By creating a unified, aware, empowered, educated, and active security workforce, we greatly mitigate cyber risk and create a safer landscape for all.
Written by Kenny Storms, Head of Security