No matter how many layers of security technologies you employ on your network, there is no way to completely secure your critical business data without securing the people who need access to that data to conduct business.
Last week UnityPoint Health announced a data breach of medical and personal information for 1.4 million of their patients. After conducting a computer forensics investigation on their IT systems, it was determined that a targeted phishing email, appearing to come from an executive in their office, led to the breach.
UnityPoint Health has reported that since the breach was discovered, they have reset and changed passwords, added additional email filtering technology, enabled two-factor authentication and conducted mandatory phishing education for their employees.
I find it interesting that this story comes from the healthcare industry. More and more we are encouraged to practice preventative care in our health. Eat right, exercise, stay hydrated, etc. to prevent problems rather than try to fix problems once they have surfaced. With that in mind it seems like providing mandatory phishing education for staff should be happening before a breach occurs rather than as a response to a breach.
I’m not here to question UnityPoint Healthcare, they will get plenty of that during the investigation that will be coming from the Office of Civil Rights, the governing organization over compliance with HIPAA and the HITECH Act. Rather, I view this as an opportunity to help people understand that prevention is better than repair.
While there are countless strategies that can be implemented to defend against a cyber attack, providing IT security education for your staff is often the one that is overlooked or ignored, but likely the most important. Perhaps it is because leadership does not know where to start or they believe that the topic is too complex to even attempt to educate their employees.
The truth is that most of the knowledge needed to make your team far less susceptible to cyber attacks is not complex at all. Simple steps like making a quick phone call to confirm instructions received in an email before executing them can prevent a cyber incident like a data breach or theft of funds.
My company includes web-based IT security training for all of our Managed IT Services clients and recently began offering this service as a stand-alone Managed Service. Our program is a simple, affordable, per-user subscription that provides ongoing training in a format that is easy to understand.
If you are concerned at all about securing your critical business data (client lists, financials, proprietary information, etc.), I suggest that you make sure you are taking steps towards educating your people. They remain the most vulnerable and commonly targeted piece of your IT security.