Imagine you walk into your doctor’s or dentist’s office and as you sign in you hear the person at the front desk reading a patient’s confidential information aloud for anyone in the general vicinity to hear. What do you do? Cyber Security is a philosophy and not just a practice. That practice stems from the company’s security philosophy and permeates all pieces of the organization. Security Awareness training is of the utmost importance to prevent the negative impacts of a breach.
When this happened to me recently I was shocked. I’m not sure if I was more shocked by the fact that confidential information was being thrown around with no regard for the potential impact or that the patients in the room seemed to not be concerned. My first thoughts were either this person at the desk was malicious or negligent. Had the company provided security awareness training? Their philosophy was clear within the verbiage of their patient paperwork allowing for “the release of health information to banks and financial institutions”
Again, security starts as a philosophy and although there are compliance regulations to govern PCI, HIPAA, SOX, PII, etc., a more general philosophy around protection of key data should be adopted to address breaches proactively. The example above is around personal information however analogous situations exist within the corporate environment. Intellectual property like customer data, CPNI in telecom, pricing, or even properly performed exit interviews can have a negative impact on an organization if not secured properly.
Security Awareness Training is the first line of defense. If your people don’t know that they need to keep the information secret, they won’t. Fines for data breaches are the least of your worries so you want to explain exactly why data needs to be held so tightly. According to the National Cyber Security Alliance as reported by Entrepreneur Media, 60% of small businesses go out of business six months after an attack. Brand equity and finances suffer, as well as, key people responsible may lose their job. Read more here about what happens when your small business is hacked.
Common sense approaches to security couple devices like door locks with training to remind employees to make sure they don’t allow unauthorized people into a locked facility after opening a door with their key card or ID. Required password changes should be implemented to keep systems safe but it can do more harm than good if employees aren’t trained on how dangerous it can be to leave these passwords on Post-It notes on their desk. Here is a list of the 6 threats to keep an eye out for in 2018 according to MIT Technology Review.
Cyber security concerns are also present within the government sector. When the Sheriff is paying the ransom to get their data back, we have a huge problem. This happens more often than most think. Organizations have to decide if and when they release information about a hack. Equifax didn’t release that data for about six months. Sometimes you can’t immediately release that information since it could cause additional harm. This is part of Security Awareness Training for higher level IT folks within an organization.
The increase in need for Cyber Security professionals, especially the CISO, is indicative that companies know they need to address these issues. Their inability to find the right talent to put in place shows that the philosophy of security doesn’t always make its way to the top. Most know the dangers of cyber security but don’t understand the nuance. A firewall is great but the weak link is people. If a thumb drive is put into your network by an unsuspecting employee, your firewall is useless.
There is a shortage of cyber security professionals. There are a predicted 3.5 million cyber security positions that will be open in 2021 according to Cisco. Cross training others within companies will have a big impact on securing data. Security Awareness Training is imperative, across all internal organizations, to make those professional’s jobs easier and keep data secure.
In sum, companies need to train their employees to use common sense approaches to securing confidential data. That person at the front desk obviously needs to be trained not to read confidential information aloud and why. They need to be taught that the patient’s finances could be compromised and the company can be fined. The three things that can be done are simple. Regularly scheduled training and reinforcement is necessary to keep employees aware of their role and the possible negative impacts they can prevent. Looking at security from a high-level as a philosophy is a crucial first step to addressing your company’s security concerns. Throwing money at it isn’t the answer. Finally, risks need to be properly assessed proactively to create a plan of action and limit potential harm to the organization.
For help with these and other issues, contact us here to schedule a discussion.