These overlooked training strategies can help stop your staff from causing breaches
One-third of businesses have suffered an insider-caused breach, with potential losses from each incident surpassing $5 million, according to the State of Cybersecurity Report from cybersecurity firm Forcepoint. No matter how you slice it, the human factor quite often rears its head when there’s a breach.
Technology can do its part in protecting against cyberattacks, but user education obviously is key to bolstering the human factor. What is not necessarily so obvious are different ways to look at user education and different ways to train during the educational process, some cybersecurity experts said. Bob Hansmann, director of security technologies at Forcepoint, and Jeff Pollard, a principal analyst who specializes in advanced threats, forensics and incident response at Forrester Research, offer learned takes on the human factor in cybersecurity.
“Healthcare organizations should look at insiders on a spectrum; essentially, users fall into a category – accidental, compromised or malicious – but can fluidly move along this continuum based on external factors such as job satisfaction, training or fatigue,” Hansmann said. “The key here is that the way that each type of insider interacts with data, like patient records, and their intentions or motivations behind that interaction vary. So, recommended types of education and solutions to prevent the loss of data due to these types of insiders vary as well.”
Accidental insiders can be inadvertent actors or convenience seekers – both make unintentional mistakes whether the intent was due to negligence or simply attempting to do their job, but not following the process, Hansmann said. These insiders require a focus on education, awareness and best practices for completing tasks safely and effectively, he added.
“Compromised insiders can be malware victims or impersonated users,” he said. “In both cases, the malware is attempting to act as the user. After all, the best malware simply impersonates human interaction with data. Since credentials are often stolen through social engineering, these users should be keenly aware of what they are clicking on or information they are providing to unknown sources. Ensuring you have proper web and e-mail solutions in place also can help limit these users’ interactions with potentially malicious content.”
Rogue employees or criminal actor employees make up the malicious insider category. Though this is typically the smallest portion of insider threats in a given network, having a strong data loss prevention solution and insider threat program often will lead to the discovery of such users, Hansmann said. It is important to understand their intention and motivation for interacting with certain business-critical data and if it seems anomalous from their day-to-day activities, he added.
Organizational culture is a key component often overlooked when it comes to insider threats, Pollard said.
“When employees are unhappy, disgruntled or feel taken advantage of, it increases the likelihood that an insider-related incident occurs,” Pollard explained. “So, when organizations look at their risks, especially their risks for insider threat, I recommend working with human resources. Track things like retention rate of employees with access to sensitive data or intellectual property. If you have high turnover in groups with access to sensitive information, your risk for insider threat-related events is increased.”
Also, one of the key areas few companies explore is analyzing how employees work, Pollard said.
“Understanding exactly what devices they use, how they use them, what applications they access, etc.,” he said. “What you'll find is the way that the organization secures systems might be vastly different from the work style that employees use. Without understanding work style, you can’t properly train or deploy security controls. Then, once you understand work style, train users based on their work habits, the applications they use, and how they use them.”
A less obvious method of cybersecurity training is the need for awareness training about the proper tools to accomplish various business tasks, Hansmann said.
“This all rests on the idea of looking at the point where healthcare workers interact with sensitive data,” he said. “Many mistakes happen when a user creates a workaround simply because they do not understand the official process available. And on another note, general education about the organization’s ability to monitor for abusive activity can help prevent incidence of opportunity. There are many case studies of this that draw on the use of cameras to help reduce crime because people are afraid they might be caught.”