Staff cybersecurity training and awareness
For more tips and how-to's, visit our tech blog
Last month we talked about being proactive around backups, data protection and business continuity. Another crucial step to ensuring your data is secure is regular and effective staff training and awareness.
Did you know that 38% of security breaches reported to the OAIC from January to June 2020 were related to human error? You need to think of your staff as the last line of defence against cybercriminals. If they all don’t follow safe and secure practices, then the risks of being targeted by a cyber-attack increase. The good news is that there are some simple steps that you can take to ensure that your cyber defence force is fully trained and ready for action.
If you don’t currently have a robust cybersecurity staff training regime, you are not alone. A 2020 survey into Security Awareness and Training (SA&T) Programs conducted by Forrester found that many organisations overestimate their staff’s cybersecurity knowledge and compliance. The results found that:
- 53% of employees didn’t believe their leadership team had made security a social norm.
- 33% of staff who had completed SA&T programs admitted to flaunting their company’s security policies.
- 45% of companies don’t capture employee feedback.
- 33% don’t monitor success using metrics.
Here at Health IT, we currently offer free cybersecurity training to all our Managed Security customers and recommend that you conduct annual company-wide training. In addition, to ensure that you aren’t on the wrong side of the above statistics, we have put together some guidelines on maintaining a high level of staff training and awareness of cybersecurity threats.
Cybersecurity Topics You Should Cover
Access control
Access control involves controlling which members of staff can access what files within your business’s IT system. Just like receptionists shouldn’t have access to prescribe medication, an employee’s personal information such as salary and address should be kept private, with only relevant managers having access.Implementing and enforcing access controls within your business will help you protect your business, customer and employee data by limiting staff and supplier access to files, networks, applications and sensitive data.
Passphrases
A 2018 Global Password Security Report revealed that 50% of users use the same passwords for their personal and work accounts. This data was supported by a 2019 online security survey conducted by Google, which found that 65% of people use the same password on more than one or all of their accounts. Not only that, but NordPass found that more than 2.5 million people use the password 123456.
To guard against hackers, we recommend that you use a passphrase rather than a password (and that ALL external access be additionally protected by multi-factor authentication – more on this below). An ideal passphrase is longer, contains punctuation, and relates to something personal that you will remember easily. For a clear picture of why a passphrase is a better option, take a look at the following take from the Australian Cyber Security Centre:
| Password / Passphrase |
Time to crack: Brute Force Attack |
Time to crack: Dictionary Attack |
Easy to remember | Comments |
|---|---|---|---|---|
|
password123 |
Instantly, Less than AU$0.01 |
Instantly, Less than AU$0.01 |
Very Easy (too easy) |
One of the most commonly used passwords on the planet. |
|
Spaghetti95! |
48 hours, AU$587.50 |
Less than half an hour, AU$6.10 |
Easy |
Some complexity in the most common areas, and very short length. Easy to remember, but easy to crack |
|
5paghetti!95 |
24 hours, AU$293.70 |
Less than 1 hour, AU$12.20 |
Somewhat Easy |
Not much more complex than above with character substitution, and still short length. Easy to remember, but easy to crack. |
|
A&d8J+1! |
2.5 hours, AU$30.60 |
2.5 hours, AU$30.60 |
Very Difficult |
Mildly complex, but shorter than the above passwords. Hard to remember, easy to crack (against BFA). |
|
I don’t like pineapple on my pizza! |
More than 1 Year, More than AU$107,222.40 |
More than 40 days, More than AU$11,750.40 |
Easy |
Excellent character length (35 characters). Complexity is naturally high given the apostrophe, exclamation mark and use of spaces. Very easy to remember, and very difficult to crack. |
Individual logins
Another common practice that is risky from a cybersecurity perspective is sharing login details. We know that busy clinics frequently share devices, with a single username and password used to log into systems.
This practice leaves you open to several different types of security threats. Someone could potentially change the password and lock you out of your account. They could take actions in your name or use the password to access other accounts if you have used the same password multiple times. Additionally, it makes you more vulnerable to “sniffers,” who monitor and capture sensitive data on a network.
So, while it sometimes makes sense to use a generic ‘reception’ login to a computer system, you can mitigate risk of cybersecurity breaches by ensuring that further logins are individual and appropriately configured. From the RACGP “Standards for General Practice, 5th edition”: Criteria 6.4 C – “Our practice’s clinical software is accessible only via unique individual identification that gives access to information according to the person’s level of authorisation.”
Multi-factor authentication
You probably use multi-factor authentication frequently in your personal life to access your home banking, email account and social media. As password theft evolves and hackers become more sophisticated, multi-factor authentication is a low cost and low complexity way to keep your business data safe, and the team here at Health IT can help you to implement it into your clinic.
Incident response plan
Even when you have a robust policy and a regular employee training schedule in place, breaches can occur. Do you know what to do in the case of a cybersecurity attack? We have the tools available on our website to help you to create a customised data breach response plan for your business. It has been designed to support private medical practices or other small businesses with a single manager.
Testing Employee Cybersecurity Awareness
To check team members level of awareness around cybersecurity and ensure that it is top-of-mind, it isn’t sufficient to run one training session and call it a day. Here are some suggestions to help you regularly assess whether cybersecurity is a social norm within your workplace:
- Talk to Health IT for assistance around online security training and phishing exercises for your staff
- Hold a quarterly quiz.
- Be a detective for a day and conduct a physical desk check. Take photos of any personal information or passwords written on post-it notes and use these real office examples during your next security training session.
- Check the recycling bin – improper disposal of sensitive information is a common challenge for many organisations.
- Incentivise people to identify and report potential cybersecurity weaknesses.
- Send a fake phishing email to staff and track who clicks on it. The email can direct these people to an online quiz to help them brush up on their cybersecurity knowledge.
- Regularly share your latest cybersecurity success metrics and celebrate good results.
Remember, cybersecurity attacks can be extremely costly in data loss, changes to programs or services, or loss of reputation. Make sure that you have a data breach response plan, ensure your staff are armed with the knowledge they need, and ensure your data is regularly backed up as a last line of protection in the event of a cybersecurity attack. Being proactive is crucial to keep your healthcare data safe.
If you would like more help and advice on any of the above, our team would love to work with you to implement best practice cybersecurity practices into your clinic. You can give us a call on (07) 3839 4321 or email service@healthit.com.au.