People want to get things done, so they take shortcuts, engineer workarounds, and use weak passwords. On the other hand, they also want to help, so employees answer questions, make connections, and try to keep the customers happy. Leaders know that attackers will leverage this tendency to be helpful in order to learn about the organisation, and to identify potential weak points.
Data is not the only protected asset
Leaders know that the good old days of merely protecting customer data from exposure are long gone. The word “data” sounds benign, passive, and harmless, but leaders know that it is the digital representation of both tangible and intangible assets. These include an organisation’s reputation, market position, intellectual property, processes, lights, power, cooling, heating, financial stability, payroll, and much, much more. Leaders know that today, data is everywhere; it enables everything, including the ability to remain operational. Protecting data confidentiality is just one piece of this intricate puzzle. Increasingly, attackers target the integrity and availability of the data. Leaders know that without data integrity, trust disappears.
The job is never done
Leaders know that security is an ongoing, never-ending discipline. A secure environment involves a long-term investment in people, processes, and technology, all of which change over time. People come and go, and must be trained into the culture. Processes will always continue to evolve in the search for efficiencies and better patient outcomes. Technology is continuously changing. All of these need ongoing maintenance and attention. What worked last year may be irrelevant this year. Because of this, leaders also know that security is an integral part of both strategic and financial planning.
Compliant does not equal secure
Leaders know that compliance is the floor. Compliance supplies a basic list of tools that should be in a proper toolbox, but it says little about how an organisation uses those tools. A holistic approach goes beyond mere compliance and builds a security program designed for a specific organisation’s needs. Security is not, as leaders know, a one-size-fits-all solution, and they guide the organisation to identify the right balance of acceptable risk. Of course, leaders know there will always be some risk: it cannot be completely eliminated.
Lead by example
Leaders know that everyone plays a part in making an organisation more secure. If the CEO’s password is “12345” the organisation is wide open for attack. If the CEO believes the company has nothing an attacker would want, then the company is an “open book,” and the organisation is wide open for attack. When the CEO believes that proper security protocol is too disruptive or inconvenient, and insists that while security is fine for everyone else, the CEO is a policy exception, the company is in big trouble. Leaders know that in these cases, word gets around the company fast. Credibility and respect are lost. Attackers know this, and thus, the battle is lost.
This blog is part of the upcoming HIMSS Insights eBook issue focusing on cybersecurity in healthcare, which will be published at the end of September. Rod Piechowski is VP for thought advisory at HIMSS, owner of Healthcare IT News.