According to a recent Identity Management Institute report (Jan 2020), employee errors cause the most data breach incidents in cyber-attacks. This could be as simple as a click on a (malicious) link in an email which could then compromise an entire network.
The Verizon DBIR report in 2020 found that about 1 in 14 users are tricked by phishing (deceptive) emails and 25% of them go on to be duped again. Software security vendors McAfee, found that 97% of consumers are unable to recognise a phishing email in their 2015 survey. The overwhelming majority of breaches start with malicious emails or other social engineering where victims are tricked into revealing confidential information, usually because the email sounds both genuine and urgent. Most malware such as computer viruses, Trojans, rogue software or spyware are delivered by email. It is important to learn how to spot phishing emails and to resist clicking on questionable links or attachments. Risks will be reduced if employees are able to recognise ransomware and other scams, via ongoing security awareness training.
Unfortunately protection technology can’t always keep up as attacks are never static; criminals will keep on finding new ways to get through defence programmes eventually.
Awareness and education
Your employees are an invaluable line of defence, your ‘human firewall’, so keep them up to date with what phishing and active threats look like, as threats evolve and adapt to manipulate current issues. For example, in recent times cyber criminals have exploited the sale of PPE and fake Covid-19 testing demands, as opportunities to deceive employees and the public alike. It is also important to share learnings and intelligence across your organisation.
In an IT risk report undertaken in 2017*, 56% of healthcare organisations thought that their employees posed bigger threats to security than anyone else. The second most common cause of security incidents was human error, which encompassed accidental disclosure of sensitive data, loss of critical information stored on mobile devices and other scenarios. Unfortunately, due to the Covid -19 Pandemic, the risk is even higher as we’re relying far more on a greater use of technology and remote working.
Have a plan and share it
Government guidelines recommend that organisations have a cyber security plan in place that includes computer security monitoring programmes. In addition implementing a comprehensive digital guide with rules and procedures for employees to follow provides clarity. Staff should all be aware of these policies and their importance. Clear, unambiguous and readily available information can be presented via online portals or the use of infographic posters can be a simple way to get the message across clearly.
Training is key
As cyber security company Infosec have reported, complacency of staff is a real danger when it involves workplace security. Their research has shown that “40-70% of employees will be a cyber-risk” which might be down to “a lack of knowledge, general apathy or simply a lack of enthusiasm”. They emphasise that cyber security and vigilance should be the responsibility of all employees. Ensure everyone is on-board with an understanding and appreciation of the role they need to play and the importance of good cybersecurity practices and equip them with the necessary resources to protect your systems.
This is as much about training and motivating staff as it is about systems and software. Cyber security is not just a technical problem for an IT team to deal with. Compliance with Government or other regulations does not automatically mean that the appropriate levels of protection have been achieved. Those guides are just that, a minimum standard as a baseline starting point.
Just as you might refer a patient for specialist diagnosis, you need to apply the appropriate levels of expertise to assess your organisations cyber security controls and identify areas of weakness. No organisations are immune to the risk and no matter how many procedures and controls you have in place, your organisation is only as secure as your weakest link.
Successful organisations are those that support a philosophy of security from the top down, with respected senior partners lending gravitas and emphasis to the subject. Workplace culture and training is an essential element to getting staff engagement.
Government guidelines recommend some basic steps to help avoid being a target:
- Be cautious of emails from unknown recipients.
- Be wary of emails not addressed to the recipient
- Be concerned if keywords like ‘Banking’ are highlighted
- When hovering over a link check the domain of the URL points to the alleged company that has sent the email
To encourage employee engagement, make the content relevant, and offer incentives to get involved with data breach solutions with rewards for their vigilance. Sharing cyber-attack prevention successes will encourage other colleagues to do the same.
MIAB work with a number of specialist Cyber Insurance providers and we will work with you to find the right one for your business. Whether you’re a single practice, or multi-partnered venture, speak to MIAB’s Specialist Insurance Adviser, Montrose Bill on 01438 870718 or email firstname.lastname@example.org
Find out more about MIAB’s cyber liability and data insurance offerings here: https://www.miab.co.uk/cyber-liability-and-data-insurance-for-gps
*2017 IT risk report Research Lab