By: Hart Johnson, MSCSIA, CEH, CHFI
Cybersecurity Part 3: Building a Cybersecurity Awareness Program for Your Practice
By: Hart Johnson, MSCSIA, CEH, CHFI
When we think of cybersecurity and hackers, what do we picture? Some person hiding their face typing a million words per minute into a computer breaking into the super-secret, encrypted mainframe by bypassing the VPN Firewall tunnel using the super secret USB ports on the server? If that didn’t make any sense to you, good, because it’s not really accurate. Movies have made us picture hackers like this, but hacking is much different than portrayed in the movies. Threats come in all shapes, colors, and sizes. As talked about in a previous blog post, Phishing can happen at any point, and takes on many different forms. Threats can even come from within an organization, which is why it is vital that you implement a cybersecurity awareness program at your practice. National Cybersecurity Awareness Month is coming up in October, so what better time to do this.
A cybersecurity awareness program doesn’t need to be expensive, time consuming, or difficult to implement. In this blog post, we will cover some basics of starting your cybersecurity awareness program from the ground up. If you aren’t sold yet, according to a Kaspersky survey (https://go.kaspersky.com/rs/802-IJN-240/images/GL_Kaspersky_Report-IT-Security-Economics_report_2019.pdf), half of the companies surveyed faced a data breach because of inappropriate use of IT resources by employees. This highlights the need to make sure employees know how to react to various threats and dangerous situations. Side note, it’s really not even an option for the healthcare sector, as it is required to implement a security awareness program by the Health Insurance Portability and Accountability Act (HIPAA).
Here are some basics when building your cybersecurity awareness program:
#1: Make the program useful to the employees from both a professional and personal standpoint.
If the employee can learn something new to help protect themselves online for their personal life, they are more likely to understand and really hone in on those skills. The idea is to teach the employee how to behave securely overall, rather than specific to your business, so the skills translate and stick. The program can cover the proper use of work devices, what should be done on company time, etc.
#2: Don’t use fear as a training tactic
Fear doesn’t create long term learning and is not an effective tactic. Threatening to fire an employee if they don’t act securely doesn’t create security, teaching them how to identify the threat will. They will be more likely to follow the security training, if they feel it is valuable to them.
#3: Duration and Regulation
As stated previously, in our line of work, we have to implement some sort of security awareness training. With that said, the regulations are fairly vague on what counts, what duration is required, etc. What you don’t want to do is implement a training just to meet the requirement that really doesn’t help solve the problem or make it worse! You need to make sure that your security awareness training is complete enough, without completely eating into the bottom-line of your business financials. But don’t be fooled, regulation will come, it isn’t a matter of if, its a matter of when. So you might as well build a robust, yet meaningful security awareness program, that doesn’t take up so much of your employee’s day that they get bored. The way I like to think of it, is bite-sized learning. Break it down into smaller chunks of learning over time, which improves retention and learning. Twenty, 3-4 minute videos, watched over a period of weeks, is a lot more palatable than having to sit through an hour long presentation in most cases. 
#4: Build in scenario based quizzes
At the end of each module (the bite-sized learning activity) put a short, scenario based quiz. This will do two things for you.
A: It will provide you with a paper-trail that shows the employees are taking the training and completing it.
B: It will also be valuable to you and the employee, since they get to prove their knowledge of the subject in a real-world scenario.
Don’t make the quizzes insanely difficult or obscure, make sure it is an actual scenario they may face in their job and/or personal life.
There are a multitude of different ways to build out your security awareness program, but it is important to keep these details in mind. Your employees will respond well to it and your business will be better off having a good security awareness program in place.
A few bullet points to keep in mind:
- Understand your current starting point, where you currently stand from a security perspective.
- Go all out, dive in head first, and really make it stick
- Understand your specific business culture
- Make sure your goals and objectives are clear and concise, but be flexible and adaptable to change
- Consider making it rewarding to complete the challenge, some friendly inter-office competition never hurts.
- Consistently measure and re-tune your program. Cybersecurity is a cyclical process where you constantly have to reassess and revise, your training is no different.
This doesn’t have to be a daunting task, it can be accomplished relatively easily and painlessly. Remember to have fun with it and that in the end, this improves your business security posture, which is a win across the board for you and your employees.
