HIT Think

The biggest threat to your data is your staff: Here’s why

It’s not only reasonable to be concerned about data security, but it also’s prudent. It’s becoming increasingly necessary as organizations become more reliant on clinical data and analysis as part of operations.

According to a 2018 study by IBM, the global average cost of a single data breach is $3.86 million—up 6.4 percent from the year before. Stolen records cost about $148 for each record stolen, and that’s not considering the long-term costs of losing confidence of those in its service area.

However, many entrepreneurs, CEOs and technical officers end up misplacing their concerns. In addition to worrying about hackers and cybercriminals trying to force their way into an organization, HIT executives should be proactively managing its biggest threat—its staff.

Here are the typical gambits that are likely to cause breaches.

Phishing scams and social engineering
Uneducated staff members are easily duped. If they have knowledge of how and where your data is stored, or if they know the user names and passwords to the most important apps, they could share that information with intelligent criminals who know how to manipulate them.

The most common threat here is the classic phishing scheme; in this scam, a malicious person lures an unsuspecting victim into visiting a fake website, which then prompts the victim for details. For example, an employee may receive an email masquerading as a message from an account rep, providing a link where the employee can then provide their login credentials. If the employee doesn’t notice any of the red flags in the message or on the website, they might volunteer information that could compromise the integrity of the organization.

HDM-082217-breaches.png

Social engineering plays are also a possible threat. These tend to rely on a more hands-on approach; someone may call an employee directly, pretending to be a representative from a bank or an app that your organization uses. Through careful wording and social manipulation, they may persuade the employee to provide important details on how to access data.

These schemes may seem simple, but they succeed at an astonishing rate.

Bad passwords and bad habits
An organiztion's employees may be in charge of creating and managing their own passwords, which is a recipe for disaster. If they choose an easy-to-guess password like “123456” or some variant of “password,” it won’t take long for even a basic algorithm to work out the solution. Even more complex passwords, made up of a long string of upper-case letters, lower-case letters, numbers and special symbols, can be determined if they aren’t changed regularly or if they’re recorded in an unsafe manner.

Unsecured networks
The rise of mobile devices has been a positive development for many organizations; they can now initiate a bring-your-own-device (BYOD) policy that allows the organization to save money while enabling employees to use their favored devices for work.

Unfortunately, if an employee uses a work device (or a personal device for work purposes) in an unsafe manner, it could jeopardize the entire system. For example, logging onto an unsecured public network or installing an illegitimate application could compromise the integrity of the device—as well as any network it’s connected to.

Refusal to update
Software updates are vital for maintaining the security of devices and software. Cybersecurity experts are constantly combing through their work to look for bugs proactively, and when they find them, they create new patches or overhauls to compensate for them. If employees skip those updates out of laziness or apathy, they’ll remain vulnerable to these critical exploits.

Internal theft
Although less common, there’s also the possibility that employees could take part in an inside job. If so inclined, they could create a copy of records, or intentionally grant access to a third-party in exchange for a monetary reward, or to exact revenge for a perceived slight.

Proactive management
Employees are indisputably your biggest data security concern. But how are you supposed to manage this threat?

  • Compartmentalized security standards. Don’t freely give access to your internal systems, even to your most trusted employees. Only grant access to the workers who truly need it, and avoid sharing information when unnecessary.
  • Ongoing education and training. Train your employees on best practices for cybersecurity; this is especially important if you’re trusting them with mobile devices. Then, provide ongoing education and training to keep them apprised of the latest potential threats.
  • Strong leadership and team goals. Don’t just tell your employees what to do; show them. Make sure your leaders are following all your best practices for cybersecurity, and set an example for the rest of your team. You can also encourage group activity with designated dates for regular habits, like a day of the month when everyone must change their old password.

These steps won’t solve all your data security woes; you’ll still need to invest in good software and encrypt your messaging. But your rate of staff-related breaches will be much lower—and accordingly, one of your biggest threats will become nothing more than a negligible blip on the radar.

For reprint and licensing requests for this article, click here.