Vantage Point: Grow a security first mindset to mitigate cybersecurity risks
In July 2022, IBM Security published its "Cost of a Data Breach Report 2022." The research in this report, conducted by Ponemon Institute, noted that the average total cost of a breach in healthcare was $10.1 million. For the 12th year in a row, the healthcare industry took the top-ranked spot. It is not surprising. Cybersecurity threats to the Healthcare and Public Health Sector h
ave risen steadily and breaches reached an all-time high in 20211. As the founder and CEO of software company providing products to healthcare organizations, protecting client data has always been top of mind.
Given the pervasive threat and the sensitivity of the data entrusted to healthcare organizations to protect, we, as leaders, must build and grow a security-first mindset among our employees. My team and I have approached this through an intentional strategy built around the table stakes of compliance with the myriad government regulations, deploying layered technical solutions, and maintaining a robust security awareness education program. While compliance programs and technical tools are essential parts of the whole, the security awareness education piece can be the differentiator.
The weakest link in any security program is the human. No matter how many layers of defense you build to protect data assets, one errant click by a curious employee on a link in an email can defeat virtually any physical or technical defense tool you have deployed. To help mitigate the weakest link problem and lower this risk, build and grow a security-first mindset among employees and make it part of your company’s DNA by conducting routine security awareness education and training.
Here are three activities we do at my company to keep security top of mind for our employees:
Mandatory bimonthly security awareness training courses for all employees
Every other month, we require employees to complete a short online cybersecurity awareness course. We partner with a company for content and offer these courses through our corporate learning management system. The topics range from phishing, social engineering, and social media red flags to protecting your mobile device and insider threats. These courses include short knowledge assessments throughout the course and a course test at the end. This routine training is complimentary to the regulatory mandated annual training courses.
Routine and random phishing tests tailored to our employees
In addition to bimonthly security awareness courses, we conduct routine email phishing tests across our employee base. Again, we partner with
a company that allows us to tailor these phishing tests to our employees even at the individual level if we so choose. Although we have an impressively low click rate on these tests, we occasionally get, as our cyber security officer likes to say, a “dirty clicker.”When an employee fails a phishing test, we use the follow-up as an opportunity to walk-through the employee’s rationale for clicking the link, review the phishing red flags with the employee, and then assign the employee to retake the relevant subject-matter training course. We very rarely have the same employee fail more than one test per year.
Frequent reminders and short security awareness briefings
Our company holds a weekly all-hands meeting. The meeting is an opportunity for the executive team to introduce new employees to the company, update employees on significant activities such as our revenue numbers, progress on our Objectives and Key Results (OKRs). At the end of the all hands, we highlight one of our corporate values or share a call to action surrounding an opportunity for improvement.
This weekly gathering serves as an excellent time for our executive who oversees our corporate security programs to remind all employees about the importance of remaining vigilant and reporting any suspicious activities, physical or digital, to the security team and provides an opportunity for briefly summarizing a current security-related news story or sharing a recent report issued by the US Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HHS HC3). To keep things lively, this executive often writes a haiku or limerick to introduce the topic.
These three activities have become a key part of our employee engagement efforts and often generate off-line conversations among our employees with our information technology and security personnel.
In closing, I would be remiss not to mention how important involvement in InfraGard and other public-private partnerships is to our security posture. In addition to me, we have several other employees who are InfraGard members. Aside from access to information that helps inform our approaches to risk mitigation and asset protection, the InfraGard member network allows us to gain additional perspectives from members in other critical infrastructure sectors. The online resources, in-person and virtual meetings, and continuing educational opportunities are tremendous resources for those who want to grow their security-first mindset.