A recent story about a data breach that affected 45,000 patients at Rush University Medical Center in Chicago drives home an important point about data security.
Many security breaches, including the one at Rush reported by the Chicago Tribune, are caused by human error. Investigators think the incident at Rush probably happened when an employee of one of the hospital’s bill processing vendors disclosed a file to an unauthorized party.
It is essential that we work with both technology and people to keep ourselves (and our data) safe.
We talk about it a lot around here and with peers within the industry. Here are some suggestions, based on actions we’ve taken and things I’ve learned from peers, at conferences and in reading about cybersecurity from experts.
As one hospital official pointed out, the weakest link in any security system is people.
Rod Piechowski, a specialist in health information systems, the amount of money spent on security doesn’t always directly correlate with level of security, its impact relies on how you budget it and on which priorities you allocate your money to.
“You have to create a culture of security awareness,” he said.
Given that most cyber attacks are tied to people’s mistakes, we believe that educating your workforce—-not just when they are hired, but constantly—can thwart many attacks. It is hard to send too many messages about the importance of protecting data.
Protecting the data that we collect and that clients provide us for their projects is an ongoing challenge. The shape of cybercrime changes daily, maybe even hourly, as hackers devise new techniques for breaking through the protections companies put in place.
If you approach security from one person’s expertise or angle, it’s like locking the front door but leaving the windows and back door open. Because security has many dimensions, we advise putting together a committee made up staff from different areas of your company: management, facilities, IT, human resources, project management, sales. Have short, weekly meetings. Keep the meetings quick and action-oriented or they will become something people dread. Ask everyone to share their insights, concerns and updates and then assign people to investigate or take corrective actions.
If you haven’t done so already, create instructions that guide staff who deal with data. Make it exact and clear as to how data is to be handled and destroyed. Have your committee regularly review and update these rules. It’s also wise to create a list of best practices for all staff to follow regarding digital devices and data security.
Keep staff informed about the latest cyber threats. Provide them with a list of best practices and regularly reiterate security tips in emails, staff meetings or on company boards. Here are a few best practices for employees that Norton, a well-known digital security company, recommends:
Major department stores reward staff who call security when they witness shoplifting. The same sort of incentive could be offered to employees who alert management to cyber threats, such as phishing emails. Spending $50 on an employee tip would be a smart investment, considering the billions companies lose each year because of cyber thefts. It’s estimated that this year, cybercrime will cost $2.1 trillion worldwide, four times what it did just 4 years ago. Microsoft estimates that 20 percent of small businesses have been the target of a cyber crime, according to a column in Forbes.com.
It is tough to keep up with the latest criminal strategies and threats. Offer your IT security experts educational opportunities in many forms. Are there organizations they should join, where online forums with peers could keep them apprised of problems and solutions? How about webinars and other online educational opportunities? Share articles from newspapers and magazines about cyber attacks and how they can be prevented. This article from Forbes about hiring IT staff and training employees to be security savvy might be a good one to share with management.
Remember that cyber criminals attack companies large and small. They especially prey on small companies, theorizing, often correctly that they devote less time and fewer resources to security. Get your company on a safer path by making your entire staff more cyber savvy. All it takes to have a data breach is one employee clicking on that phishing email.
Get Started Here