There has been an increase in data breaches caused by employee-related mishaps, both with malicious intent and without. Three chief information security officers shared with Becker’s their best tip for avoiding cybersecurity mishaps by employees:
Kate Pierce. CIO and CISO of North Country Hospital (Newport, Vt.): Cybersecurity is a growing concern for nearly every healthcare organization. Insider threats make up between 60 and 85 percent of all cyber threats, depending on which report you reference. However, only roughly 20-25 percent of those are actually intentional criminal activity. My recommendations on how to address this growing issue are:
1. Implement a robust end-user cyber-education program to help minimize unintentional cyberthreat opportunities from entering your organization.
2. Diligently implement least privilege access for all users to help prevent accidental access to highly sensitive areas.
3. if the first two options are not effective, implement a user behavioral analytics application to identify highly risky personnel actions.
These three things can help to contain insider threats in your organization, although there is no assurance that an insider with malicious intent can be stopped.
Kathy Hughes. CISO andVice President of Northwell Health (New Hyde Park, N.Y.): The best way to avoid intentional or accidental employee mishaps is through a combination of employee education, awareness training, activity monitoring and behavior analysis. Ongoing communication, including references to current events, help reinforce how to recognize and report suspicious activity. Equally important is establishing progressive disciplinary actions for those who demonstrate risky behavior or violate policies, and setting behavioral expectations within the performance evaluation process which reflect employee requirements to practice safe computing.
Christopher Kuhl. CISO and Chief Technology Officer of Dayton (Ohio) Children’s Hospital: Changing your organization’s culture to be more cyber-aware can be one of the most difficult yet most beneficial initiatives you can ever do. On average, to change a corporate culture, it can take anywhere from seven to 10 years. It’s a long journey, but you, your security team and your organization will immediately see a return on investment from using a quality cybersecurity awareness program.