Overcoming Human Error: How To Secure Against Cyber Attacks
Published on June 27th, 2018
Organizations throughout the healthcare industry are popular targets for cyber criminals.
Over the past five years hospitals, health centers, research charities, and even insurance providers have been hit with a torrent of cyber attacks. In May last year, the UK National Health Service was brought to its knees for a full week by one of the largest-scale ransomware attacks on record.
Put simply, if you’re in the healthcare industry, cyber attacks are inevitable.
And, that shouldn’t be a surprise. Healthcare organizations have some of the lowest security budgets around, which, coupled with the sky high value of medical records, make them appealing targets for cyber criminals.
So how can you avoid becoming the next big data breach headline? To answer that, you’ll first need to understand how most healthcare breaches occur.
The anatomy of a healthcare data breach
Thinking about cybersecurity can be overwhelming, because there are so many attack vectors to consider: ransomware, phishing, password reuse attacks, and DDoS to name just a few.
Though, the vast majority of breaches in the healthcare industry fall into just three categories:
- Human error
- Lost and stolen devices
That doesn’t seem so overwhelming, does it? Problematic, certainly, but very manageable.
If we drill down even further, it becomes apparent that all three of these categories contain a strong human component. In addition to the obvious candidates – emails sent to the wrong address, poor password management, and so on – human error has a way of rearing its head in pretty much every data breach you’ve ever heard of.
After all, few devices are lost or stolen without a few mistakes being made along the way. Even ransomware, which strikes fear into the hearts of network administrators, is overwhelmingly spread via phishing emails. That means, at some point, a human must unwittingly follow a link or open an attachment in order for a ransomware attack to be successful.
And, ransomware is far from the only attack vector that relies on tricking people into taking undesirable actions. So-called “social engineering” attacks, which are commonly enacted using email (phishing), phone calls (vishing), and even SMS messages (SMiShing) are extremely common, and are often highly targeted, sophisticated, and convincing. These attacks are used to steal credentials, conduct account takeovers, install ransomware or other malware variants, and even to trick payments staff into paying fraudulent invoices.
Understanding the human component of healthcare breaches is vital, because it enables you to make sensible decisions across the security function.
Getting IT right
When you first realize the security impact of human error, the solution seems obvious: Make it impossible for humans to compromise your network.
And that would be great… if it were possible.
In reality, no matter how good your security architecture is, how tightly you control user privileges, or how well your policy documents are written, there’s no way to completely negate the human element.
But, that doesn’t mean you shouldn’t try. Here are some of the most important controls you can use to minimize the security burden placed on your users:
- Account privileges How many of your users need to be able to install programs? Do they need access to all areas of your network? Do they even need to open the task manager in Windows? Most organizations allow users far more access than they’ll ever need, because it’s easier on a day-to-day basis. Unfortunately, this opens up huge potential for human error that can easily lead to major security breaches. In an ideal world, each user should only have access to the documents and functionality they need to perform their job.
- Content filtering Since most cyber attacks that target users rely on social engineering, the most effective prevention tactic is to block those attacks from ever reaching your users. As a starting point, that means having some form of email filtering technology in place, but if you want to take things further, you can also filter online content and phone calls.
- Device encryption Dealing with lost and stolen devices is never going to be a fun experience, but there’s no need for it to cause a major security incident. Encrypting all mobile devices and laptops as a matter of policy is an easy way to protect against data breach.
- Vulnerability management No doubt you’ve heard a few stories about organizations being breached by malware or ransomware attacks. In the vast majority of cases, those breaches could have been prevented if the organization in question had a comprehensive vulnerability management process in place. Vulnerability scanners are easily acquired, and most software vendors release patches for known vulnerabilities within a short space of time, so make sure you allocate the resources necessary to stay up to date.
- Sensible security controls Once the basics are out of the way, you’ll need to determine which additional preventative controls are needed to secure your organization and its data. There are literally thousands of products and services in the market, from next generation firewalls to threat intelligence platforms, and the specific combination that suits you will depend on your budget and organizational structure. One piece of advice: Try not to get bamboozled by the latest buzzwords, and cover the basics before you start investing in more advanced technologies.
Security training: the old way doesn’t work
Once you have a solid security architecture in place, it’s time to turn your attention to your users.
Remember, the vast majority of cyber attacks target people, not systems, and no matter how hard you try you can never completely protect your users from social engineering attacks.
The primary message you need to convey to your users is simple: Not all communications are legitimate, and if anything seems amiss they should get in touch with your IT department immediately.
Of course, there are plenty of things your training will need to cover in order to be effective. As a minimum, you should include:
- Different types of social engineering attacks and how to spot them
- Clear guidelines for working with and sending sensitive information
- What to do if a user spots suspicious communications or activity
- How to stay safe online, including web browsing and social media use
- How to choose good passwords
If you do the job well, you’ll be arming your users with the knowledge and skills they’ll need to do their part for the security of your organization, as well as make more sensible security decisions in their personal lives.
But, if you’re thinking of using the traditional security awareness training approach, think again.
You know what we’re talking about. The kind of training where you sit in a stuffy underground room once per year so a bored IT intern can remind you not to choose “123cats” as your password.
This type of training doesn’t work, and it never has.
The clue is right in the name: Security awareness training. Traditional security training is designed around the premise that if users are aware of security, they’ll change their behaviors.
But guess what? They don’t.
Just like smokers don’t stop smoking when they find out it’s bad for them. Just like all those government-backed healthy eating campaigns haven’t put a dent in obesity rates. Just like knowing that eating well and exercising regularly will make us live longer doesn’t inspire us to eat salad and hit the gym three times per week.
If you’re serious about training your users to withstand sophisticated social engineering attacks, you’ll need to develop a program that engages users and gives them a chance to practice the behaviors you want them to develop.
Take phishing, for example. You can’t expect your users to identify phishing attacks in the real world unless you give them realistic samples to practice on. At the very least, your training program should expose them to some real phishing samples and point out the tactics they can use to identify them.
And, it’s not just content you need to worry about. At the same time, you’re going to need to engage with users a lot more than once per year. At a minimum, you should engage users on a monthly basis, preferably using computerized e-training to minimize disruption and provide an interactive experience.
If all this seems a bit excessive, guess what? It isn’t.
Individuals are targeted by cyber criminals because they are usually a soft target, and if you want to change that you’re going to need to put in the time and resources necessary to do so. If you don’t have the budget or capacity to develop a powerful training initiative in-house, there are security vendors who provide this type of training as a pre-packaged service.