“Cyber-Hygiene?” — Get Used to that Term, and that Practice!
In Grey’s Anatomy’s 2017 winter finale, the hospital is hit with a cyber attack with the hackers demanding millions of dollars in Bitcoin to release the hospital’s technology. For a tech-savvy fictional hospital, this proved nearly fatal for patients who lost access to medical records, elevators, and blood banks. Earlier this summer, five real life municipalities around the country were also victims of a cyberattack. Atlanta, Philadelphia, Baltimore, and two Florida cities had their online government and court features held for ransom. While this new type of criminal can be costly, the most pervasive cyber challenge probably isn’t isn’t a malicious hacker, but simple human error. Or, poor cyber-hygiene.
Francoise Gilbert, former co-chair of Greenberg Traurig’s data, privacy, and cybersecurity practice group, and current CEO of DataMinding, says the number one challenge to cybersecurity is people. Most recent security breaches are caused by inadvertent human error and companies have to be diligent about training employees and monitoring activity to ensure private data isn’t negligently disclosed — and documenting that training! Leaving devices unattended, sharing passwords, or accidentally e-mailing information to the wrong people are typical security errors, but many breaches are also traceable to users unwittingly giving bad actors access to networks.
In 2015 the Ponemon Institute released a report that 70% of healthcare organizations and business associates surveyed identified employee negligence and as a top threat to information security. IT professionals say at least 50% of breaches are directly attributable to user error or failure to practice proper cyber hygiene. Not much has changed since then, but the stakes are much higher. Improperly discarded records may have left hundreds or thousands people vulnerable in the past, but the massive digitization of records these days expose millions of people to potential harm. The 80 million record Anthem data breach was likely caused when thieves infiltrated Anthem’s system using a database administrator password captured through a phishing scheme.
While there is no foolproof way to eliminate human error, user awareness programs are key. Email coming into networks must be scanned for malicious attachments and links as over 40% of all email attachments examined by Palo Alto’s WildFire software was found to be malicious. Eliminating the use of passwords has also been suggested as people often use birthdates, pets, or children’s names. Multifactor authentication has been recommended such as biometric identification (facial scan or thumbprint) along with derived credentials from a CAC or PIV card, similar to a chipped credit card, so that there’s nothing to remember and nothing that can be stolen. It’s a dangerous world and we have certainly given up some privacy for convenience, but staying diligent and aware could save your data from ending up in the wrong hands. Thanks to Mehreen Hayat for her contribution to this post.
Please email Brian Gibbons with any questions.