SOCIALS 

SUBSCRIBE 

 Subscribe now to receive the new updates. 

ABOUT David Chou

David Chou is a healthcare industry leader in the digital space.  David is the CIO for Luye Medical Group (Cleveland Clinic Connected) while also serving as the VP, Principal Analyst of Silicon Valley based Constellation Research, Inc.  Chou has held executive roles with the Cleveland Clinic, Children's Mercy Hospital, University Of Mississippi Medical Center, AHMC Healthcare, Prime Healthcare, and is also advising many academic medical centers and healthcare start-ups.  

David is a dynamic keynote speaker and industry commentator working with clients to transform their business models using technology.  He has spoken around the world at healthcare tech-related conference including keynotes for leading industry events and intimate executive settings. Chou is also one of the most mentioned CIOs in the media and well quoted in outlets such as the Wall Street Journal, Modern Healthcare, HIMSS Media, ZDNet, CIO.com, Huffington Post, and Becker's Healthcare.  David is an active member of both ACHE and HIMSS while serving on the board for CHIME. 

Human liability in security

July 30, 2017

Cyber attacks are in the news daily. Often the headlines sound alarms about hacktivists or hackers from across the globe, but shocking headlines overlook a key statistic. According to a 2016 report published by IBM, up to 60% of all cyber attacks result, often unwittingly, from the actions of people inside or closely connected to the company. 

 

Some estimates put the global cost of cybercrime at 2.1 trillion by 2019, with 20% of cyber attacks directed at small and medium-sized businesses. Despite higher investments in security, big business provides larger targets and continues to be a favored mark.

 

This growth trend in cyber attacks has fueled outside industries including cybersecurity companies and insurers selling cyber-insurance, the latter of which expects business to triple in the next three years.  

 

Mom and Pop shops aren't ready for this cyber wave, and big business isn't as prepared as once hoped.

 

Insiders open the cyber-doors

The role of insiders has taken many forms. Awareness is a key to reduced risk, but most employees are not well-educated on the scope of the threat. Even corporate leaders need a better understanding of the risk. EY's 2015 Global Information Security Survey found that 44% of executives said that employees posed the greatest cyber threat, much lower than the 60% said to be involved by the IBM report.  

 

Reportedly, two-thirds of data breaches attributed to employees have been unintentional. Clicking the wrong email attachment, falling for a ruse by email or by phone, or use of insecure passwords all can open the gates to the cyber kingdom. It's a numbers game. Cyber criminals know that if they try enough doors, one will be found open, and they've learned which doors to check first. The remaining third or data breaches have been financially motivated, including those involving cyber-espionage.

 

Verizon's 2017 Data Breach Investigations Report is at odds with some of the figures reported by IBM, EY, and others, with 25% of breaches attributed to people inside the compromised company. The difference may be due to the methodology used for collecting and reporting data.

 

Top targets for cyber attacks in the Verizon report were financial organizations at 24% or data breaches. Healthcare organizations, public sector entities, and retail and accommodation organizations all followed, ranging from 12% to 15% of all reported breaches.  

 

The Verizon report indicated that 61% of the data breach victims were companies with under 1,000 employees and that in testing 1 out of 14 people opened a suspicious email attachment or clicked a link that led to trouble. A quarter of those tested did it more than once. In a company of 1,000 employees, 70 staffers are likely to open pandora's box unwittingly.

 

Some companies run their own internal testing, sending suspicious emails to employees and then measuring click rates. Employees are encouraged to report phishing if an email subject or sender looks peculiar. Upon opening a suspicious email, the employee is greeted with a message explaining that the message was a test that should have been reported. While this practice does increase awareness of a threat, these same employees may not be aware of the full corporate risk.

 

Many employees think of suspicious email links and phishing attempts as being an inconvenience, but one that can be fixed by the IT department, not one that can take down servers, shut down parts of the company, compromise sensitive data, or potentially cost millions. All of these things are possible, and all have happened with the click of a mouse in an office or cubicle. 

 

What can be done to Increase Cybersecurity?

Clearly, employees are on the front line. Regardless of safeguards put in place, a large role of IT departments, security departments, and security contractors is often to clean up the mess left behind after a cyber attack or breach. Employees with higher clearances within a company also pose a large risk because of their access to more sensitive data, some of which may even be available on their laptops or company-issued devices.

 

Email and the use of insecure or default passwords are the most common doorways used to gain cyber entry. The Verizon report cites over 80% of hacking-related breaches taking advantage of stolen passwords or weak passwords. The report also indicates that nearly 70% of malware that affects businesses is installed by clicking on malicious email attachments.  

 

Using the same cybersecurity techniques used in the past may not work against the future cyber attacks and attempted data breaches. Ultimately, it comes down to increased awareness and firewalling devices and software so that these devices cannot be used to reach the most sensitive data. Most employees and even executives are aware that cyber attacks are real and can happen. However, the lingering impression is that cyber attacks and data breaches happen on the nightly news and in the news headlines and that they happen to other companies.  

 

Most employees and even executives are aware that cyber attacks are real and can happen. However, the lingering impression is that cyber attacks and data breaches happen on the nightly news and in the news headlines and that they happen to other companies.

 

Employees can be trusted with the numbers that represent the company's potential financial exposure and the truth that every company has a real risk of cyber attack, including theirs. Understanding the gravity of the problem can help to get the team on board with security measures, instead of viewing them as an inconvenience. Any witting perpetrators within the company are already aware of the risk and may already be plotting their reward. A more pointed education for the broader base of employees should be implemented and reinforced regularly.

 

 

 

 

 

 

 

 

Share on Facebook
Share on Twitter
Please reload

RECENT POSTS

October 16, 2019

July 29, 2019

Please reload

FEATURED POSTS

Blockchain: a Healthcare CIOs’ View

August 28, 2018

1/3
Please reload

FOLLOW US

  • Grey Facebook Icon
  • Grey Twitter Icon
  • Grey Instagram Icon