Five easy ways to raise your employees’ awareness
Over the past years, criminal attacks on the health care industry and their data have increased drastically. According to an American research, the number of attacks increased by 60% last year alone, with numbers likely to rise even further in the next years.
Why is the health care industry such a big target?
The health care sector is an increasingly common target for cybercriminals. Why is that? What makes the industry such an ideal target? We see two important reasons.
- The data
More than any other business, health care institutions have access to a wide range of sensitive data. Personal data such as patients’ health information, but also their ID and payment card data. Sensitive data that is worth a lot of money on the dark web and that is often stored in a centralized location.
- The nature of the business
Health care organizations provide critical care to their patients. Any breach in continuity of that care needs to be resolved as quickly as possible, as there are – literally – lives at stake. This makes them vulnerable to ransomware attacks, as the criminals know that organizations dealing with critical care, are more likely to pay the ransom.
The cybersecurity issues health care organizations have to deal with, range from malware that compromises the integrity of their IT-systems and ransomware attacks that target the sensitive data, to denial of service attacks (DoS) that disrupt their ability to provide critical patient care. It goes without saying that any of these attacks and data breaches carry a high cost for the organization that is affected, often rising up to millions and millions.
The health care industry is arming itself
Luckily, as the health care industry becomes increasingly vulnerable to malicious cyberattacks, it also becomes increasingly aware of the dangers. These days, more and more health care organizations see the need for investing in decent cybersecurity, protecting their precious systems and data and making it harder for criminals to get to them.
“We are noticing that awareness is on the rise and that the sector grows to become more proactive when it comes to cybersecurity”, says Bart Van Vugt (BowTie Security), “but there is still a long way to go. The EU has recently adopted the new NIS2 Directive. By 2024, all organizations in the health care industry will have to comply with those new rules.”
“We are noticing that awareness is on the rise and that the sector grows to become more proactive when it comes to cybersecurity.”Bart Van Vugt
Human error is one of the biggest security threats
What businesses often forget, is that in many of the data breaches human errors play a big role. According to a 2021 study conducted by IBM in over 130 countries, 95% of cyber security breaches is in some way caused by human error. In other words, if you could take human errors out of the equation, you would be able to prevent 19 out of 20 cyber breaches from happening.
As human error is one of the biggest security threats that organizations face, it is all the more important to get everyone in your organization on the same page. In this article, we’ll focus on reducing that human margin of error by giving you a number of quick wins on how you can raise your employees’ awareness and easily get them on board of your important cybersecurity endeavours.
1. Promote good ownership of gadgets and devices
We are often unaware that corporate smartphones and personal devices of any kind act as gateways to our entire network. Did you know that around 15% of breaches in companies worldwide are caused by missing devices? It goes to show that improving your cybersecurity also involves raising awareness of the dangers of smartphones and taking care of all your employees’ devices. Not only the corporate ones they use for work, but also their personal gadgets.
2. Get your people to talk about cybersecurity
If you want to educate your employees on the risks and dangers of cyber criminality, sending a single alert via email is certainly not the way to do it. Chances are that they’re already drowning in work and they’ll just ignore or send to junk immediately. If you want to advocate real change, you want them to talk about it over by the coffee machine. Try and make the threat tangible: tell your employees what cybersecurity is and how the dangers have affected companies that were hit. Give them examples of what happened, hang up easy do’s and don’ts or insightful infographics and – why not? -also ask them for their opinion.
To give you an example, this is one of the ways the American multinational HP gets their employees on board: every now and then, they send out fake fishing emails. Colleagues who see through them and report them to IT, get congratulated and applauded in front of the whole organization. This way, the people get rewarded for making the effort, but it also boosts conversation among coworkers.
3. Appoint an awareness officer
Another way of getting people to talk about cyber criminality, is by appointing an awareness officer. This way, you show that you are taking the threat seriously. At the same time, you make sure that there is someone your employees can turn to with questions and concerns. The awareness officer functions as a SPOC for all matters concerning cybersecurity and he or she organizes trainings and workshops to educate everyone on the team. This way, your people can learn how to detect red flags and, in case of an emergency, they have the necessary skills and tools to act in the right way.
4. Make sure your people know the software they work with
Guarding your company from the possible dangers of cybercriminality not only means setting up a secure infrastructure on the backend, it also means making sure the front door is secure. If your employees work with software that is connected to the internet, make sure that they really know the tools they work with. Make sure they know what to do and what not do, when to expect pop-ups or slower operation, etc. The better they know the systems they work with, the easier they’ll recognize suspicious activity.
5. Make sure your people know the importance of a secure log-in
And last, but certainly not least: make sure everyone in your organization knows how important it is to use passwords with caution. We cannot stress it enough: your people have to understand the dangers of dealing with passwords. Drill the importance of secure log-on processes and multi-factor authentication, because it is the number one thing your co-workers can do to help keep the entire organization safe and secure. Changing passwords on a regular basis may be time-consuming, but it is also very necessary.
The dangers of dealing with passwords are encouraging more and more health care companies to switch to a log-in system with smart badges. Although these badges make your employees’ lives easier in a myriad of technological ways, it is important to point out that they are not without dangers either. Make sure to work with the right partner, when switching to any new access management tool, and make sure everyone in your organization uses them with caution.
Have you heard about NIS2?
It goes without saying that, in moving towards a more connected and digital world, we simply cannot overstate the importance of cybersecurity. Which is why the European Union has recently adopted the NIS2 Directive, or the Network and Information Systems Directive. NIS2 is aimed at improving cybersecurity in a number of critical sectors across the EU and could very well be a game-changer for the health care sector. The NIS2 directive, which will be implemented by the end of 2024, will help to create a safer and more secure health care system. It focuses on providing a roadmap for securing the most critical and sensitive information and it sets a new and improved standard for cyber resilience and risk management. By opening up new possibilities for improving patient care and digital safety, NIS2 will ensure that the health care sector can continue to provide life-saving services and treatments to those in need.
Want to learn more about cyber security and NIS2? Join our webinar on the 16th of March 2023, and discover what the new European directives on cybersecurity entail for your organization.