Valuable cybersecurity tools to keep you safe
BY DOROTHY COCIU
Most of us are still licking our wounds from COVID-19. For the past nearly 18 months, we’ve all lost so much. From illness and death of family members and loved ones to the loss of income, food insecurity and massive amounts of stress, to dealing with Zoom learning for kids, and doing our jobs from home, we’ve been hurting. Most of us were looking forward to the predicted 2021 improvements, with vaccines available now for all who want them, infections down, and travel beginning to see new life. By June 15, 2021, California opened up its economy, and we had hope; we saw a glimmer of optimism and confidence that the future could be bright again.
However, just as we were beginning to smile more, feel comfortable going out to eat at our favorite restaurants with family and friends, and for many, hugging our parents for the first time in over a year, another cloud has begun hanging over our heads. And at times, this cloud has turned to pouring rain and then bolts of lightning. A new national emergency (my words, not the government’s) seems to be claiming our freedoms and our hopes and dreams. This time, the emergency isn’t about a virus. It isn’t about quarantine or loneliness. It’s about blatant attacks on our infrastructure, our pipelines, our airports, our healthcare, our food supply, our power plants, and our business operations.
This enemy isn’t a single germ or microorganism or pathogen. It’s a seemingly widespread and growing network of hackers and cyber criminals who exploit our weaknesses to infiltrate our networks and databases, quite often for profit. In some cases, it’s just simply about knowing they can, and rattling our nerves. But often, in cases like Colonial Pipeline, JBS Foods and many others, it’s about holding data hostage, and demanding cash payment or bitcoin in amounts of tens of millions of dollars, just so that companies can get their systems back up and running.
And what has the federal government often recommended when someone is hit with ransomware? Quite often, agencies such as the FBI have said simply, “Pay it.”
The only good thing that these recent nationally reported attacks have done is raise awareness, which I am grateful for. The question is, what will it take for people to take this seriously? East coast residents saw the results first-hand with the closure of gas stations. When they could finally find gas, there were miles-long lines waiting for the limited supply, and high prices (although sadly, those prices were often still less than what we pay daily for gas in California). We’ve all felt it in the raising of food prices, particularly meat prices, in our grocery stores, and in the inability to get the goods and services we need when we need them.
This storm has not passed. In fact, the clouds are darkening and gaining strength; at times it feels as though we’re in the eye of the storm, and at other times, just on the outskirts. No matter where you are, you can still feel the rainfall, the humidity, and the ferocious winds. With limited laws and no national, combined effort to combat it, the storm will rage on, until we all take control and stop it ourselves.
The weakest link
The problem is, in the simplest of terms, that systems can only be as secure as their weakest link. In most cases, the weakest link is us. Yes, the most common denominator is human beings. Humans are, as we all know, human. We make mistakes, and we sometimes have short-term memories. If not constantly reminded of something, we forget. Or at times, we just ignore things, because it’s easier.
In many cases, we simply aren’t properly trained to protect one of our most valuable company assets: our data. In many instances, it has taken only a single individual to take down an organization, although perhaps unknowingly. It may only take one misstep to throw the organization into turmoil, and subject it to a cyber attacker who is demanding millions of dollars. Can it be avoided? Yes, but at what cost?
Generally, the cost is doing a proper risk assessment, understanding your risks, and doing something to mitigate those risks. The cost is ramping up your network and database security, and taking the time, energy and effort to do one thing: Properly train your employees. In most cases, many of the largest breaches in the United States and across the world may have been avoided, if only the organization had spent some time, energy and financial resources protecting themselves with these steps.
Federal & state laws & regulations overview
Unlike other nations, such as the European Union, the United States has no single federal law regulating cybersecurity or information security. We have instead a small number of laws affecting certain industries, and little to protect everyone, such as:
• HIPAA Privacy & Security and HITECH (protecting medical records)
• GLBA (protecting financial records)
• Little-known laws such as the Computer Fraud and Abuse Act (CFAA) for prosecuting cybercrime
• Sarbanes-Oxley (applies to public companies)
• Federal Trade Commission (FTC), which, since 2002, has assumed a leading role in policing corporate cyber-security practices. In that time, FTC has brought more than 60 cases against companies for unfair or deceptive practices that endanger the personal data of consumers
• Also on the federal side, we have the Children’s Online Privacy Protections Act (COPPA), and
• FDA regulations for the use of electronic records in clinical investigations and a few other little known federal privacy protections.
There is no single regulation or oversight. There is a hodge-podge of laws, and often the government agencies don’t work together to fight cybercrime as other nations have. Here in California, we have even more privacy laws in effect, including the Confidentiality of Medical Infor-mation Act, Confidentiality of Social Security Numbers, a Data Breach Notification Law, a Customer Records law, and of course the California Consumer Privacy Act (CCPA), to name a few.
Even though some of these laws, including HITECH, require electronic security, is that enough? Sadly, recent history has proven it is not. Even with these federal and state requirements, we continue to see hospital after hospital, medical group after medical group, and individual medical practitioners fail to fully implement the security measures required by federal and state laws. We see multiple businesses in all industries subjected to ransomware, and their email, data files and more are held for ransom. Nearly every week, we are hearing in the news of another cyberattack that has slowed down meat production, fuel for automobiles and aircraft, and more.
I’ve been teaching seminars, webinars, hosted podcasts, written articles, etc. on
HIPAA Privacy & Security protections since 2002. This was just prior to the effective date of HIPAA Medical Records Privacy, along with HIPAA Security in 2005. When I wrote a HIPAA Manual in 2000 and updated it beginning 2002 and for many years after with all of the Privacy & Security applications, I did my best to teach people how to protect their companies, mostly in terms of physical and administrative security. I did privacy training all over the country. I taught companies to lock paper records down, double-protect SSNs and mental health information, and assisted with creating written policies and procedures and creating internal processes.
HIPAA Privacy & Security protections since 2002. This was just prior to the effective date of HIPAA Medical Records Privacy, along with HIPAA Security in 2005. When I wrote a HIPAA Manual in 2000 and updated it beginning 2002 and for many years after with all of the Privacy & Security applications, I did my best to teach people how to protect their companies, mostly in terms of physical and administrative security. I did privacy training all over the country. I taught companies to lock paper records down, double-protect SSNs and mental health information, and assisted with creating written policies and procedures and creating internal processes.
HIPAA Security in 2005 brought to it the electronic component, but it wasn’t until HITECH in 2009, however, that it was taken somewhat seriously. This is when HHS and OCR started treating business associates the same as covered entities. When penalties and enforcement ramped up, we began to understand the importance of protecting our data. It was at the beginning of HITECH that I knew I was out of my league.
A new national emergency (my words, not the government’s) seems to be claiming our freedoms and our hopes
and dreams. This time, the emergency isn’t about a virus. It isn’t about quarantine or loneliness. It’s about blatant attacks on our infrastructure, our pipelines, our airports, our healthcare, our food supply, our power plants, and our business operations.
I had to find technology partners to assist with the complexities of HITECH, because, after all, it’s allabout IT functions and technology. Yes, it was taken more seriously, but not seriously enough. And today, it’s not just about medical records. It’s about our internal systems, our personal and business financial information, and people stealing identities. Also now, it’s about having our data ripped from our systems and held in the hands of an invisible enemy.
Even with these federal and state requirements, we continue to see data hacked. Often, companies just pay up, because they knew the risks, but failed to take the necessary steps. To many, it was an understanding that it could happen, but an unwillingness to do the work, invest the funds, and implement strong company-wide policies to secure data. To some, they felt it was worth the risk. Pay now or pay later. They choose to put off what could have helped them avoid the dangers of today’s cyber-crimes. Some are indeed paying later. And much more than they may have wanted or imagined, because the wide-spread thought process is, it can’t happen to me. We’re starting to realize now that it can.
In 2021, the “new normal” is being reminded almost daily about the current storm, the “new national emergency” (my declaration), and that is cybercrime. We need strong cybersecurity measures to combat that emergency. In 2021, the “new normal” is being reminded almost daily about the current storm, the “new national emergency” (my declaration), and that is cybercrime. We need strong cybersecurity measures to combat that emergency. The question is, are you willing to do what it takes to protect yourselves and your company’s data?
The question is, are you willing to do what it takes to protect yourselves and your company’s data?
The first steps toward data protection
Now that this new national emergency is among us, what are we going to do to stop it, or at least slow it down, get a handle on it, and try to eventually end it?
First, take a step back and evaluate where you are. When was the last time you did a complete risk analysis — a true risk assessment — for your organization, including physical, technical and administrative security? Have you ever done so? Have you evaluated your systems, or done mock trials to find weaknesses? Or have you turned your back on it, thinking ‘we’ll get to it someday’? Well, folks, someday is here. You need to take action now, or you could be the next victim of cybercrime.
Real-world actions to keep you safe
To share additional perspectives, I asked the opinions of several reputable industry experts:
• Ted Mayeshiba and Ted Flittner, principals of Aditi Group, a technology and IT services and consulting firm (and in full disclosure, my company’s technology partners)
• Zach Ayta, director of Partnerships
• Sidd Gavirneni, CEO and co-founder of Zeguro, a cybersecurity consulting
and cybersecurity Insurance company.
Recent ransomware attacks in the news (Colonial Pipeline & JBS)
Recently large ransomware attacks like Colonial Pipeline and JBS Foods have shown us that hackers are exploiting security weaknesses and holding the data of many companies hostage, demanding millions of dollars to unlock their own data. This in turn, has shut down supplies for critical goods and services.
What do we mean when we say ransomware is a form of malware targeting systems? What exactly do these malicious actors do in these situations?
“Ransomware is encryption software loaded onto your machine or network, which is NOT of your choosing,” explains Mayeshiba of Aditi Group. “It is loaded onto your machine by a bad actor. The bad actor then encrypts all of the data on your system so you can’t read it. If you ever want to read or use any of your files again, they require you to pay them to give you instructions to decrypt the files.”
Gavirneni of Zeguro was asked the same question, and responded as follows: “Ransomware has become increasingly prominent in recent years and has grown significantly during the COVID-19 pandemic. New ransomware samples grew by 72%
in the first six months of 2020. This type of malware encrypts data in an information system and demands payment in exchange for regaining access. The payment is commonly demanded in cryptocurrencies due to their untraceable nature. Though the malicious actors claim that they will unencrypt data after the ransom is paid, there is no guarantee that users will receive the decryption key. According to the Center for Internet Security (CIS), one ransomware variant deletes files even if the ransom has been paid.”
in the first six months of 2020. This type of malware encrypts data in an information system and demands payment in exchange for regaining access. The payment is commonly demanded in cryptocurrencies due to their untraceable nature. Though the malicious actors claim that they will unencrypt data after the ransom is paid, there is no guarantee that users will receive the decryption key. According to the Center for Internet Security (CIS), one ransomware variant deletes files even if the ransom has been paid.”
Colonial Pipeline’s recovery of part of the ransom reported in the news recently was the first time (at least that I’ve heard of) that the U.S. government has actually been successful in getting part of the paid ransom blocked on a major case. So I would not count on the government to help every company out there. This one affected our fuel supply and started a media frenzy. People were desperately looking for fuel for their vehicles. Frankly, that type of publicity is not good for a somewhat new Administration in Washington. So, I’m sure there was immense pressure to do something to show U.S. strength in fighting cybercrime. What about the other attacks? Did the government step in for those? Most of the time, the answer to this date has been no. You need to rely on yourselves and keep it from happening in the first place.
No one is exempt from hackers
Public entities have also been breached, such as the Steamship Authority of Massachusetts, the Washington, D.C. Metro Police, the University of California, Michigan State University and others. People are wondering how they are supposed to protect their data when these large public entities aren’t even able to protect theirs. What are some basic things that can be done to protect your company’s data, and how do we convince organizations that this is serious?
“How do you protect yourself?” Mayeshiba queried. “This is malware, so you use good data hygiene practices we’ve spoken about on many occasions, like our training and in our podcasts. You must keep your software and browsers up to date, use Multi Factor Authentication, and most importantly, don’t click on links you aren’t expecting, etc.
How can you protect data?
According to Mayeshiba, in the case of a small library in Indiana, they had their card catalog hacked and encrypted. “What they do now is keep a backup of all their critical data offline,” he explained. “If they get hacked, they wipe everything clean and restore from backup. For a small business, this is a very practical solution. For someone like Colonial Pipeline, they discovered it would take many days to do because the entire infrastructure was encrypted. For those larger companies, we would recommend a separation of systems to prevent the unrestricted spread of malware.
“Sierra Wireless (another very large Fortune 500 firm) was a victim of ransomware,” said Mayeshiba. “Their administrative functions were attacked, but their operational functions were unaffected. The customers were unaware. Most administrative functions were back in days, fully functional within a week. AND no ransom was paid.”
So, is the answer to just back up your data? Yes, that’s a good practice, but you cannot rely entirely on your backups. As Mayeshiba said, this takes time that many companies may not have, particularly if they are an essential service or business. To many organizations, time is money. And no one likes to lose money. But would you rather lose your data?
How does the COVID-19 stay at home scenario add to the risks of data breaches and cyber-attacks? What can be done to mitigate this, since many companies decided during COVID-19 that they can save money by having certain employees work from home for the long-term? What are some basic “must-dos” and “don’ts” that companies should be practicing?
“The spread of ransomware throughout a connected network is the largest risk for a small business,” replied Mayeshiba “Your machines in the office may be ‘locked down.’ Machines at home, less so. At home there are many areas of weakness. Family members. Open ports. Memory sticks may be inserted which are infected. Wireless networks can be hacked. IoT devices (Alexa, Nest, etc.) may be hacked. Multiple entry points, multiplied by the number of employees out of the office in coffee shops or other public places, multiplies the risk.”
Mayeshiba continued: “What can be done? Work policies must be enforced at home. You should set up machines at home with a separated family account, work account and administrator account. No one but the employee should have access to the work account on a machine. You need to restrict rights to the various accounts so the work product cannot be breached or compromised.”
You may be thinking, how do I do that? For that, I would highly recommend that you contact a reputable IT services company. Most individuals cannot do that alone. However, be sure if they are working with machines that are owned by your organization or contain any type of company data, that the IT service providers you use are compliant with HIPAA (for medical information) and/or GLBA (if you deal with financial information). Be sure if you sponsor a company health plan, that you get a HIPAA Business Associates Agreement signed. You may also need a GLBA vendor agreement in place.
Hacker groups in the news: Are they the only danger?
Recent news reports have named certain hacker groups that have been linked to recent large breaches and ransomware schemes. We’ve heard about DarkSide, REvil group, Avaddon, Evil Corp, DoppelPaymer Gang and more. I asked Mayeshiba and Gavirneni if we should be worried only about these more infamous groups, or should we be focusing mitigation efforts on a wider range of hackers? Who should we be afraid of, and why?
“The larger hacker organizations offer Ransomware as a Service (RaaS),” said Mayeshiba. “This means they put kits together for any middle school whiz kid to use and distribute. They leverage servers and infrastructure where payments are processed and the heavy lifting of hacking is done. It’s the democratization of evil.
“What this means, however, is that ‘spear phishing’ will become more dangerous,” he explained. “More people, who are likely to know more about you, may send more enticing emails with links for you to click. Social media is now an attack vector. Therefore, it’s important that you NOT use the same photo for business and personal media accounts. Facial recognition software has progressed now, so hackers are able to associate facts on your Instagram account with facts on your LinkedIn account to give a good picture of enticements for the hacker to use against you.”
“The most important goal is to protect your business — irrespective of the size or type of a malicious actor group,” stated Gavirneni. “And this is because there are many, many more malicious actors that are not in the news, including newbies. The average cost of a breach for small businesses is $3.6M, and we have now seen instances of ransomware attacks by amateur cyber criminals.”
Keep in mind, many of these are faceless individuals, clicking away at holes, trying to find a way into your network. It could be someone next door to you. It could be a friend of your son or daughter. Social media, as Mayeshiba said, is now a major source for your personal information and a breeding ground for hackers, including, as Gavirneni mentioned, the newbies.
Healthcare and insurance group attacks
Turning to something close to probably everyone reading this article, healthcare and insurance groups have always been a huge target for hackers and cyber-attacks.
Are there certain things this industry should be doing more of to protect patient and customer medical data?
“Healthcare related businesses usually are subject to federal HIPAA laws and local state laws that require them to ‘de-identify’ patient info or protect it,” stated Flittner. “Protection falls on data when At Rest, In Motion, and Deleted. And we must control access to just the people who are authorized to see data. Making all that happen is a lengthy topic and starts with knowing your company.”
Flittner continued: “The most common statement made by Health and Human Services and Office of Civil Rights in HIPAA violation cases is a lack of adequate RISK ASSESSMENT by the companies. The first responsibility is to understand your own company risks of violating HIPAA privacy rules. The second responsibility is to make a plan to reduce or eliminate those risks.”
Of course, Flittner is speaking my language, because as I said above, I’ve been doing HIPAA Privacy & Security Training since 2002. This is one of the most important things I tell my students, which are generally CFOs, CEOs, corporate presidents and partners, as well as Human Resources professionals and insurance agents. But telling them and having them listen isn’t enough. They have to do something about it. They need to take action.
Flittner continued, “Number one: get an outsider’s view of your business risk. The actions following a risk assessment are specific to the company.”
Gavirneni added, “Cybersecurity is all about People, Processes, and Technology — making sure that businesses are looking at it holistically.
“Healthcare is extremely susceptible to cyber-attacks because of the amount of sensitive data, the third-party tools and products being used, and the proliferation of IoT devices.”
Gavirneni continued, “So, we always recommend starting with understanding your ecosystem, and creating cyber-security processes around that ecosystem. There are many things you need to do, but we’ll talk about only a few things that healthcare businesses can get started with:
1. Ensure that you continuously maintain an inventory of all software and devices you are using, and patch them at least once a month with any software updates.
2. Encrypt all data
3. Make sure that you are backing up all data continuously, but also have a process to restore that data
4. People are the primary root cause of breaches. So, train all your employees, consultants, and contractors on cybersecurity best practices. This cannot be a “once a year” effort. It needs to be at least once per month, so it stays top of mind.
I can’t agree with Gavirneni more. Too many companies, in my opinion, train their people once, and then forget about it. With technology changing, and employees being those human beings I mentioned, it just doesn’t stick with them. Your best defense is to train your employees, your consultants, and contractors on privacy and security of all types, and keep doing it, over and over. It could be the difference between getting hacked and being safe. Know your business and talk to a consultant to help you determine what type of training and how often you need it for your employees, given your situation.
“It all depends on the type of ransomware attack,” says Flittner. “Some are simply caused by an executable file that just encrypts data. Some attacks are real breaches into a company’s network AND the lock-up of their data. These situations are a lot more complex and mean the attackers may HAVE copies of some or all of the data. And of course, any payment of ransomware boosts the motivation of these pirates to attempt more plunders. Sometimes they even attack the same victim all over again.”
Software updates and patching
One of the most important things I want to talk about today are software updates and patching and why that’s important. Apple Mac OS recently released an update to address vulnerability that was allowing malware to work around privacy settings. Microsoft 365 had vulnerabilities in email applications. Microsoft also released patches for limited and targeted attacks.
What should businesses be doing to assure that updates and patches are installed and used? How important is this?
Remember that HIPAA requires that ‘Covered Entities’ use computer systems and software that are still supported by their makers,” responded Flittner. “That’s because we know that weaknesses are continually bubbling up to the surface. And as they appear, companies scramble to push out patches as software updates.
“Sometimes these weaknesses are glaring holes,” Flittner continued. “But most often they are rarely encountered combinations of keystrokes and commands that can unintentionally allow hackers to get in or take control of computers. Once a vulnerability becomes known about by hackers, they share with other hackers and malware code is written and deployed around the world. The most common way to spread those viruses is with ‘spammy’ emails with links we shouldn’t click on.”
And how many times have we seen just that? Employees, again, your weakest link, should know better but they don’t, or they forget. You must train them of the dangers, and you must do it frequently.
“Some exploits can be made on computer servers directly – like the ones in your office or running the stuff ‘in-the-cloud’ without any users clicking on email,” continued Flittner. “These are the kind of exploits that we see when a website is hacked, and you see ads for ED or cheap drugs. They are also the attack opportunities like Microsoft had with their Exchange email software this year. That one event allowed more than 30,000 Exchange email servers to be attacked by malware before patches were deployed.”
Hackers rely on the time window of opportunity between when an exploit is revealed and when software companies publish updates. But most importantly, before users — you and I — update our computers. Timing is everything. And often, only a short amount of time is enough to set the path towards data destruction or ransom attacks.
“Patching is critical, and should be done as frequently as possible,” stated Auta of Zeguro. “If an organization is unable to automate patches so that they are installed as they become available, then patching should be done on regular intervals, more often than just monthly.”
Travel industry vulnerabilities
The travel industry has also been hit hard recently after a devastating 15+ months.
As people and businesses are now starting to finally start traveling again, for both vacations and business, what can they do to keep their information safe?
“Lost or stolen phones are the number one way that data gets intercepted when you’re traveling,” stated Flittner. So, I asked him for a list of “to-dos”:
• Backup your phone
• Secure your phone with a strong password – just a few thumb strokes or a 4-digit pin
• Only use public WIFI with a virtual private network or VPN. IT Service companies can set up a hardware VPN or you can subscribe to VPN software.
• Don’t text or email secret info like your passwords to family or office while traveling. SMS and email are inherently insecure – like sending postcards. Set up password storage programs – LastPass, Dashlane, etc before you travel.
• Be mindful of who is watching or listening to phone calls when you tell someone your name, address, birthday, social security number, or credit card number over the phone. Use an ear bud and not a speaker phone.
Because these things are so common, I pressed Flittner for more information. “We also avoid downloading and installing apps which may be convenient but really are not necessary. These apps from travel companies and smaller businesses may have flaws and may not be updated as quickly as operating systems and big software programs.” Remember, we need to protect all devices, including phones and tablets.
Working from home dangers
Another thing we should be concerned about, particularly now with more people continuing to work from home, are kids and online gaming, as there are always issues with security.
What about the parents of those kids? What do they do to keep kids, as well as data, safe while playing online games?
“The only real way to protect your data and allow online and multiplayer games is to keep the gamers separate from any computers and phones that have your business data or sensitive personal info,” says Flittner. “Simply don’t allow games on your computers, and never on business machines. Use separate networks. Virtual Local Area Networks (VLANs) use the same internet provider, same wires, but special hardware creates separate virtual networks that can’t talk to each other. So, kids can be on their own, and you or your work can be on another. Risky games on the kid’s network won’t affect you on the work network. It can be all inside your home. I recommend you call an IT Service company like ours to learn more or have us set it up.”
“The only real way to protect your data and allow online and multiplayer games is to keep the gamers separate from any computers and phones that have your business data or sensitive personal info.”
Auta had additional ideas on this subject. “Malicious actors will stop
at nothing to creatively gain access to information or hardware through gaming platforms.
at nothing to creatively gain access to information or hardware through gaming platforms.
Parents should encourage the following:
• Avoid participating in chat, when possible
• Never share personal information about yourselves or your personal lives
• Avoid clicking links provided in chats
• Download gaming updates from app stores or within the game, never from external websites/sources
• Only add gaming friends/contacts that they know in real life (IRL
New cybersecurity regulations
The Dept. of Homeland Security is working on regulations. The Transportation Security Administration and Cybersecurity and Infrastructure Security Agency are getting involved.
How much can the government help with this problem? Even if we have regulations, will that solve the problems?
“Rules don’t really change human behavior,” stated Flittner matter-of-factly. “Regulations may lead to more widespread use of security steps like 2-factor authentication (like when your bank sends a confirmation code to log in). But rules won’t prevent people from clicking on email links to malware. And we all know that people still have to follow the rules. Companies still routinely violate HIPAA rules.”
That they do. All you have to do is take a glance at HHS/OCR’s “wall of shame,” which they seem to be very proud of, to see just how many entities violate HIPAA Privacy & Security rules, as well as HITECH, regularly.
“Rules don’t really change human behavior. Regulations may lead to more widespread use of security steps like 2-factor authentication (like when your bank sends a confirmation code to log in). But rules won’t prevent people from clicking on email links to malware. And we all know that people still have to follow the rules. Companies still routinely violate HIPAA rules.”
~Ted Flittner, Aditi Group
“We still need to be aware, train our co-workers to be aware, and assess our risks, put measures in place to help reduce risk, and consider insurance for when the unexpected does happen,” continued Flittner.
“The increase in regulatory frameworks is unsurprising, but necessary,” stated Gavirneni. “One of the challenges is that passage of regulations is an archaic process. Often by the time they are instituted, the technology world may have evolved well beyond the scope of the regulations. Secondly, current regulations fail to motivate organizations to go above and beyond what is required of them.”
Training for employees
Let’s talk about proper training for the front-line workers of businesses — those who sit at a computer all day. What kind of training do employees need to help protect their company’s security?
Flittner was more than happy to discuss this topic, saying, “Know company policies and why it matters to follow them. The key topic these days is email diligence. Don’t click on email inks or download files that you don’t really know the origin of. Slow down and take time to scrutinize. Teach people how to recognize fakes and legitimate messages. And train people on how to react if malware, ransom, or phishing attempts succeed. Who should they call and what should they do next?” That seems to be one of the glaring missing pieces in most employers’ privacy policies.
“Employees are often the first and last line of defense against security incidents and equipping them with the education they need to change their behavior is important,” says Gavirneni. “The key for any effective training is that it is not one size fits all. A robust training program should address both the knowledge gaps in an employee’s cybersecurity aptitude and risks that they face in their job functions. Additionally, many security awareness programs fail because every employee takes the same training at the same time, typically annually. Ongoing training on a monthly basis helps keep security top of mind.
How do you train your employees?
Every company and every industry is different. However, there are easy training tools you can use. Up-to-date video training is cost effective and easy for Human Resources. However, if you use video training, it’s best to incorporate live interactions within it. Personally, I like to create my training videos with stopping points in the video where you can literally hit pause and do role playing with your staff, or other interactions, to keep them engaged and aware. I also include statements in my videos, usually at the end, where I inform the employees that their employer will now distribute and review internal policies, to make sure that the employer is actually prepared to have the training.
I personally love in-person, live training, although I had to convert to web-based training during COVID-19. In-person training allows the trainer to look the employees in the eyes, see where they are confused and stop to see how to help.
I tend to shy away from on-line only training with no interaction, because people tend to not pay as much attention. If you are using an online only training tool, be sure to use one that has tests that employees must pass. If using this type, also use double authentication to be sure that you are in fact training the person you think you are training.
It’s important that you NOT use the same photo for business and personal media accounts. Facial recognition software has progressed now, so hackers are able to associate facts on your Instagram account with facts on your LinkedIn account to give a good picture of enticements for the hacker to use against you.
The most important thing is to decide what groups need to be trained, and conduct training specific to each.In HIPAA Privacy & Security training, I generally prefer 4 to
6 hours for Privacy & Security Officers and privacy work group members. Most don’t do that. But I do like to be complete, and it’s far too complicated to do in an hour at that level. I also like to do supervisor and manager training, as they have specific roles in monitoring and enforcing the policies of your organization. This is usually about a 2-hour training the first time, with follow-ups ongoing.
6 hours for Privacy & Security Officers and privacy work group members. Most don’t do that. But I do like to be complete, and it’s far too complicated to do in an hour at that level. I also like to do supervisor and manager training, as they have specific roles in monitoring and enforcing the policies of your organization. This is usually about a 2-hour training the first time, with follow-ups ongoing.
I believe electronic training and cybersecurity training should be mandatory for everyone. If it’s a provider group, then of course specific training is needed to address the requirements of a provider. Basic All Employee Training is also needed, which in my opinion, should include electronic security and cybersecurity training.
Each company’s privacy officer and security officer should appoint a privacy work group to deal with day-to-day functions, including proper training. That group should determine the most appropriate means of training that meets the needs of your organization. Keep in mind, it’s not just medical information (HIPAA Privacy & Security) you need to protect. It’s all types of company, employee and customer data.
If you’re not sure what type of training you need or how to go about it, you can certainly contact any of us involved in this article for assistance.
Cybersecurity insurance is now available, yet many employers still haven’t even thought about adding it. Is it affordable and is it worth the price? I believe it is, and our experts agree, wholeheartedly.
“This is just like other insurance questions,” notes Flittner. “If you can afford not to be insured, ok. If you can’t afford the potential loss or cost of being without coverage, get insurance. The cost of ransomware for example could include the ransom itself, cost of forensics investigators to determine if they took your data, the cost of bad press, possible legal penalties for breach, and customer lawsuits for letting hackers get their data. We think insurance is a great idea.
“Cybersecurity insurance is a critical part of a robust cyber risk management program,” Flittner emphasized. “Premiums are determined by a number of factors, including but not limited to an organization’s industry, projected revenue, amount of sensitive/confidential information, and In security/process controls. In general, I would describe cyber insurance as being relatively affordable for what is covered, but those costs are rising as insurers realize that their underwriting models were not fit for the risks they were taking on. It is important that organizations work with insurers that have a deep understanding of cybersecurity and cyber risk and use more than financial modeling to evaluate premiums, so costs stay down over the long term.”
“Cybersecurity insurance is a critical part of a robust cyber risk management program.”
The storm we’re in
In conclusion, I would ask that you think about the current storm we’re in. The clouds have not yet begun to part. We are a long way from that. But you have tools available to you to help you take shelter and weather the storm, and hopefully, see clear skies ahead. You may have to invest financially and cwith administrative processes such as real training, but it would be money well spent. Let’s combat the new national emergency with knowledge and action, and take control of our data, before it’s too late.
Author’s Note
I’d like to thank the contributors to this article, Ted Mayeshiba and Ted Flittner from Aditi Group, as well as Sidd Gavirneni and Zach Ayta of Zeguro for their assistance.
- Reach Aditi Group at (855) Go-Aditi
(1-855-462-3484) or info@aditigroup.com. - Reach Zeguro at (855) 980-0660.
DOROTHY COCIU is president of Advanced Benefit Consulting & Insurance Services, Inc. and CAHU vice president, communications. She is a veteran Privacy & Security consultant and trainer, with expertise in HIPAA Privacy & Security, HITECH, GLBA and related laws. She is the author of a HIPAA manual for employers and trains and consults nationally on physical and administrative security, as well as some facets of HIPAA Security. She relies on her technology partners, Aditi Group, for the IT security complexities of HITECH.
Dorothy is the host of her company’s podcast, Benefits Executive Roundtable, and is an instructor for many CE courses for CAHU and its local chapters, as well as SIIA, PIHRA, SHRM and other associations. She is also an HRCI instructor, and her firm is an HRCI provider. Advanced Benefit Consulting is also a CE provider for the California Department of Insurance. They recently launched their new education platform, Empowered Education Center, Powered By Advanced Benefit Consulting & Aditi Group.
Coming soon are CE credit for agents on the platform (pending DOI approval at this time). Her firm and her technology partners also do live training and have a monthly subscription service available for employee privacy & security training, including cybersecurity.
Contact: (714) 693 9754 x 3 or email dmcociu@ advancedbenefitconsulting.com.