Best Practices in Defense of a Cybersecurity Breach
April 02, 2018
HealthStream interviewed Steven Conrad, Managing Director of MediaPRO, to learn defensive measure healthcare organizations can take to prevent breaches. Conrad has worked to improve organizational performance through effective learning solutions and is active at the strategic level to protect organizations from cyberattacks.
What’s the Best Way to Encourage Vigilance?
Given the vulnerabilities described in some of the research, what is the best way to ensure that employees remain vigilant and smart about how to spot fraudulent emails? Some healthcare organizations have established Bitcoin accounts in the event that they are the victim of a ransomware threat, but is that the best available option?
Conrad recommends monthly mock phishing supported by employee training to best address the vulnerability created by employees. “An organization’s IT department may understand and be able to respond to the technology issues, but be less prepared to deal with the human problems.”
Send Your Own Phishing Emails to Assess Vulnerability
MediaPRO recommends sending phishing emails that emulate some of the best strategies used by phishers. It is not unusual to see between 60% and 70% of employees taken in by such emails particularly at the onset of training.
In addition to the emails that simulate phishing, Conrad also encourages healthcare organizations to take the following steps to protect themselves:
- Conduct ongoing mock phishing drills of your workforce in a way that emulates what actual phishers do.
- Provide regular data protection best-practice training that focuses on physical security, password protection, and other key aspects of data protection.
- Share the real-life tactics of phishers, which will involve regular and ongoing training.
Criminals Using Artificial Intelligence and Constantly Changing Tactics
“Bad guys are doing very sophisticated things including the use of artificial intelligence. It’s important to share these tactics with employees so they recognize these phishing attempts when they encounter them. These criminals use constantly evolving tactics. It is not a static game for them and your training should reflect this fact,” says Conrad.
In addition to monthly mock phishing, MediaPRO’s system can help organizations to identify those employees who create higher levels of risk as well as those who engage in potentially compromising behaviors, such as clicking on an inappropriate link or downloading harmful files. Training can then be customized to address specific areas of vulnerability. When describing the goal of training employees to recognize phishing attempts, Conrad says, “It’s all about enabling people to make better decisions. If we’re not doing that then we’re putting them in a situation where they really can’t do their jobs as well as they should.”
The threat to the security of information is an evolving one, and the key to real vigilance incorporates both technology and training. Conrad’s advice is to make sure that your organization helps employees to understand their vital role in the protection of this information.
This blog post excerpts an article in our complimentary eBook about Threats to Healthcare, Workforce Readiness: Preparing Today for Tomorrow’s Unknown. Download it here.