One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 455331 |
| Date de publication | 2017-12-27 14:00:00 (vue: 2017-12-27 14:00:00) |
| Titre | Why Healthcare Security Awareness Training Doesn\'t Work (And What to Do About It) |
| Texte |
The last five years have seen a meteoric rise in the number of cyberattacks targeting healthcare organizations.
Why? Because healthcare organizations boast some of the lowest security budgets of any industry, and personal healthcare records are worth a fortune on the dark web.
Don’t believe me? Try this: Threats actors can make between $285,000 - $1.7 million from a single successful healthcare data breach. At that rate of return, it really shouldn’t be surprising to see how regularly healthcare breaches are hitting the headlines.
If you’re in the healthcare industry, you’re probably feeling concerned. After all, healthcare organizations are highly complex environments and they can be a tremendous challenge to secure.
Where should you even start?
User-Centric Security
Before you start spending big out on expensive security products, it makes sense to look at where the greatest risks lie. To do that, let’s take a look at the most common causes of healthcare data breaches in recent years.
According to the 2016 Data Breach Investigations Report, produced by Verizon, there are three primary concerns:
1.Insiders (mainly negligence)
2.Lost or stolen devices
3.Phishing
Do you notice anything about these threats? Here’s a clue: They aren’t rooted in technology. Quite the opposite, in fact, they’re all rooted in human behavior.
Now, of course, security products can be invaluable in dealing with these threats. Devices can be encrypted, user access levels can be tightly controlled, and network activity can be monitored. You can even use spam filters and content scanners to weed out most malicious communications.
But what you can’t do is totally isolate your users from malicious activity… it’s just not possible. One way or another you users will be exposed, and they must be ready to deal with it.
By making the effort to properly train your users, you can hugely raise the security profile of your security organization.
Out with the Old
If I had to guess, I’d say your existing security awareness training is… less than comprehensive.
You’re not alone.
In most healthcare organizations, security awareness training wouldn’t even exist if it wasn’t a major requirement of HIPAA compliance.
But knowing that the greatest threats to your organization are all rooted in human error, doesn’t that seem crazy? If you’re genuinely serious about reducing cyber risk, there are going to need to be some dramatic changes.
Perhaps the biggest problem I see with the average security training program is that it is focused on completely the wrong metric: Awareness.
Ask any behavioral psychologist whether having more information causes people to make better decisions, and you know what they’ll say? Absolutely not.
That’s why, despite understanding more than ever about nutrition, we have a glo |
| Envoyé | Oui |
| Condensat | $285 •a •the “point “report “weak 000 2016 ability about absolutely access according activity activity… actors actually adding additional address after aid all alone already altering analyzed another anti any anything applied are aren’t arguably argue arise article ask attack attempt average awareness because becoming before behave behavior behavioral behaviors being believe better between big biggest bit boast breach breaches budgets but button call can can’t causes centric challenge chance changes chosen classroom clearly client clue: combination commandments commit common communications completely complex complexity compliance component components comprehensive concerned concerns: consistently constant construct content controlled controls correctly course crazy create creating credentials crisis cyber cyberattacks dark data deal dealing decisions deeper deleting deliver delivered described despite devices did directly disproportionately dive doesn doesn’t don’t dramatic dramatically drastically during easy effective effort either email email” emails employees enable enabling encounter encrypted end enough environments error even ever exclusively exist existing expect expected expensive experienced exposed fact fails failure failure” feeling fight filter filters first five fix focused focuses folks foothold forcing formal fortune four from fully fundamental future gain gained gauge generate genuinely get global goal going gradually greatest guess had hand happen haul have having headlines healthcare hear help here here's here’s high highly hipaa hitting how huge hugely human i’d i’ve identifies identify impact importantly improve inboxes incident including incoming incorporate increase industry inform information initial insiders instance intelligence internalized intervening invaluable investigations is… isn’t isolate it’s just key kicker king know knowing known lack large last learned less let’s level levels lie line link” login long look lost low lowest lure lures mainly major majority make makes making malicious malware massive material meaning members meteoric metric: might million misunderstanding mitigate moment monitored months more most must necessary need need: needed negative negligence network next not noted notice now number nutrition obesity observed odd off often old once one only opportunity opposite organization organizations other out over overall overnight oversee own part patience payments people percent performers performing perhaps personal personally phishing phishing… point posed posing possible powerful practice precisely prevent primary probably problem problems process produced products professional profile program prone properly provide providing psychologist quality quarantine quite raise rate rather reaching ready real realistic really receiving recent recommend records reduce reducing regularly repeatedly report reported reporting reports requirement resemble resources responses results return revealing rise risk risks rooted rooted in routinely samples say scanners seconds…it secure security see seem seen send sending senior sense sensibly serious session shelve should shouldn’t similar simple simplistic simply simulated simulation simulations single sit situations skill skilled small some something sound source spam specific spending spot staff stage start stolen strong strongly style success successful supply support surprising suspected systematically tackle take takes targeting team technical technology than that’s them then these they’ll they’re this: those threat threats three through tightening tightly time totally track traditional train trained training training tremendous trick tricked truly trust try turn type under understand understanding unlike use used user users users’ utilize valuable value vast verizon very vips volume want wasn’t way we’ve web weed what what's what’s whe |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.