As you may know, successful cyberattacks often come as a result of human error, but did you know those errors are often made by employees who have already been through training? An article on Healthcare IT News takes a look at what methods help cybersecurity training stick.
Cybercriminals direct their attacks on untrained employees or employees who simply don’t apply what they have learned from training to their daily job functions. Erik Devine, chief information security officer at Riverside Healthcare in Illinois agrees that despite employees going through cybersecurity training, they do not come back and use what they have learned.
Devine discusses some of his organizations compliance statistics from five years ago to now, proving that engaging training can make a huge impact in protecting an organization from a cyberattack.
According to Devine, five years ago the compliance rate at Riverside was 85 percent when the organization conducted phishing campaigns among their 3,000 employees. While a majority of employees were able to spot a phishing email, many did not know who they were to contact if they did receive an email they felt wary of.
Devine says today their compliance rate has increased to 97 to 99 percent, depending on which test they are giving. Devine also explains that Riverside is far too big to protect without ensuring employees are engaged in information security.
Devine shared some insight on what worked in training Riverside employees in hopes that other hospitals can learn from their success.
Use real world examples
We all know that training is not always exciting and engaging, often resulting in employees getting bored and disinterested in what they’re learning. A great way to ensure employees don’t lose interest in training is to use real world examples.
Devine said that examples such as illustrating how hackers can crack into a car-wash and manipulate the robotic arms to damage automobiles or lock customers inside tends to pique trainee interest.”
Another important aspect of training according to Devine, is to provide experience to the employees. Riverside provides experience through DNS poisoning or phishing campaigns.
Make training personal
Making training personal is another way Riverside gets their message across to employees on how important information security truly is. Devine says they bring personal interests into training by emphasizing that although the hospital would suffer from a breach, the government could also choose to go after an individual employee in the event of a security incident.
Making it personal also involves explaining what data people have that hackers might want or what makes people legitimate targets, because many employees think an attack wouldn’t happen to them.”
With many jobs at hand, especially in healthcare, employees often go back to work and forget to take what they’ve learned and put it to use. Often times nurses and doctors have life-threatening situations to deal with or administrative staff have critical tasks at hand, leaving password changes a low priority.
Devine admitted that while he discusses the importance of employees changing personal passwords since they are often connected to professional accounts, only about 20 percent of take the advice.
Users unengaged with cybersecurity training will fall for the same tricks that have been used for 20 years. Engaged users, however, can help healthcare CIOs and CISOs protect an organization and its assets.”