Cybersecurity Doesn’t Work Without Culture Change

Article Summary:

  • A culture of cybersecurity only truly takes root when it’s embedded into daily decision-making and a part of everyone’s roles, including the C-Suite.

  • Annual training videos can be effective, but only if they are supplemented with ongoing, engaging activities, combined reward structures or competitions.

  • Workforce members outside of security and IT need seats at the same table in order to provide input on how new solutions will impact workflow, users, and ultimately patients.

A 4-Minute Read

Enhancing cybersecurity is critical, but there is a pervasive Band-Aid mindset causing organizations to commonly overlook the vital ingredient to any amount of successful security: culture change.

Need a reminder why cybersecurity is at the top of so many lists? According to Cybersecurity Ventures, “global ransomware damage costs are predicted to exceed $11.5 billion by 2019, up from $5 billion in 2017,” a 15x increase from $325 million just two years ago. In addition, they predicted that ransomware attacks on healthcare organizations will quadruple by 2020.

Organizations are responding with massive investments in technology, which is an important step, but even the best technology cannot provide absolute security. Simply put, it’s all about the people.

Workforce members must truly feel they have and want to have a stake in the organization’s security. This starts with a shift in mindset, but only truly takes root when cybersecurity is embedded into daily decision-making and a part of everyone’s roles, including the C-Suite. My experience is that this is much easier said than done. I’ve seen organizations of all sizes struggle with this, from small, rural community hospitals to multi-facility health systems.

Let’s take a look at what it takes to successfully transform into a culture of security.

Set the Right Tone by Driving Cultural Change from the Top Down

A culture of security that permeates throughout the entire organization starts at the top, from the board to the C-Suite.

Executive management needs to emphasize security as a strategic priority for the organization and lead by example in following new company policies and processes. Once there’s buy-in at the top, the Chief Information Security Officer (CISO), or equivalent leader, can develop an organization-wide plan and ensure cybersecurity is integrated into all aspects of the organization. Essentially, the C-Suite and board hold hands while riding unicorns, tossing rainbows down to the CISO, and the rest of the workforce dances in the glow, right?

This is actually possible if cybersecurity can take a cue from physical security.

I worked with one healthcare organization who had pretty much perfected physical security. The CEO was the first to question anyone without a badge. When the board members came for a meeting, every one of them ensured that the first thing they did was check in using the visitor management system. These seem like basic practices, but I believe that just seeing these acts by the leadership team helped cultivate how the entire workforce adopted similar physical security best practices. The security guards took more pride in their duties and all employees embraced their responsibilities to help secure their work environment. This is true no matter the type of security: when it becomes important to the CEO, it becomes important to everyone in the organization.

In order to drive top-down engagement, executive management needs to first determine the organization’s risk appetite. This means understanding the organization’s risks, and their financial, health, safety, reputational, regulatory, and operational impacts.

Engage executive management by following these steps:

  1. Identify (and articulate to leadership) the impacts of doing nothing versus the impacts of taking action.
  2. Once you get buy-in from the top, work with the executive team to spread the word. Have the CEO send a company-wide communication about security.
  3. The CEO then needs to “walk the walk,” and set the example by embedding security in his/her daily, weekly, and quarterly communications.

Simple, yes, but the CEO really does set the tone.

Use Focused, Routine Training to Drive Culture Change from the Inside Out

80% of breaches are attributed to some type of employee negligence, according to an Experian study. People can’t perform what they don’t know, and this makes awareness and training a crucial piece of the cybersecurity puzzle. The phrase “awareness and training” probably sends a shiver down your back, one not of fear but of sheer and penetrating boredom, and it should. Security and awareness videos are a place where unicorns and rainbows go to die.

Workforce training typically takes the form of bland security videos, in which the actors seem to be boring themselves. It’s not surprising that employees would prefer to play these in the background while they do something else that feels like (and probably is) a better use of their time.

So, is the key to buy funnier videos? The answer is you’re asking the wrong question. Awareness and training should be a continuous activity. Annual training videos can be effective, but only if they are supplemented with ongoing, engaging activities, like “lunch and learns,” fake phishing email tests combined reward structures or competitions. Since everyone learns differently, make sure training and awareness utilize various types of learning methods (visual, physical, verbal, social, solitary, etc.). Simply adding security as an agenda item to team meetings is usually a quality reinforcement tool.

Most healthcare organizations I’ve seen don’t think outside of the box. They purchase a pre-built curriculum that includes a video with a few questions at the end to assess “compliance.” If they are lucky, the vendor updates some of the content from year to year, but majority of the time it is the same video and same questions. This is not going to teach your workforce what they need to know. You have to put effort into it by assigning resources to develop unique content that is continually pushed out to the workforce and that is applicable to what your employees do on a daily basis. A generic video is going to teach generic practices that may not apply to your workforce. Create content based on different types of roles in your organization. Your IT team members need to understand secure coding best practices or ensuring that they validate an employee’s identity before resetting a password while your clinical staff needs to be reminded that they must lock their screen when they walk away from their workstation or that they must ensure they are providing the correct visit summary to the correct patient. In addition, make the training interactive and engaging.

A nice rule of thumb is: your workforce will get out what the training designers put in. Merely click “add to cart” on a pre-built training curriculum and your workforce will surely click “minimize” while they do real work.

In addition, training and awareness should relate to employees’ professional, as well as personal lives. Relate security to seasonal, personal topics. For example, communicate online shopping risks and considerations before Cyber Monday where everyone will be searching and clicking like madmen. Relating security threats or best practices to an employee’s daily actions will promote understanding and subsequently, compliance.

Engage the End Users Because Patient Safety is the Ultimate Goal

Workforce members outside of security and IT need seats at the same table in order to provide input on how new solutions will impact workflow, users, and ultimately patients. This will ensure tools and processes are developed with employee workflow at the helm, which is particularly crucial for healthcare provider organizations.

The primary focus of any healthcare provider organization is patient safety. Communicate to the organization that the lack of information security is also a patient safety issue. For example, if ransomware shuts down hospital systems and providers are unable to view charts or images, patient safety would be at great risk. If a hacker gets access to an infusion pump and a patient does not receive the proper dose of medication, the patient’s safety will be impacted.

In order to drive a culture of security, the security team must communicate in terms that validate alignment with this focus. This will help business stakeholders understand that everyone is aligned with the same goal in mind.

Parting Idea That Everyone Overlooks

The complexity of today’s organizations allows for countless security vulnerabilities. Creating a culture that engages employees as key security stakeholders plugs leaks and implements multiple checkpoints and barriers to entry that technology just can’t accomplish on its own.

My final recommendation is to go even farther than the above: incorporate security into organizational values as a way to ensure that cybersecurity remains a company priority. Doing so will keep it at the forefront of employees’ thoughts and actions as they go about their daily work routines.

The first step to all this? Shift from a compliance mentality to creating a culture of security, and you’ll begin a journey that will have significant payoff down the road.

References

Morgan, S. 2017, November 17. Ransomware Damage Report: 2017 Edition. Retrieved from https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/

Yasin, R. 2016, May 24. Employee Negligence The Cause Of Many Data Breaches. Retrieved from https://www.darkreading.com/vulnerabilities—threats/employee-negligence-the-cause-of-manydata-breaches-/d/d-id/1325656?

About the Author

Mary Miller is an Information Security & Risk Management Consultant with Impact Makers. She has a proven track record of successfully facilitating the culture change necessary for healthcare clients to experience true cybersecurity.

Interested in how Impact Makers solves security problems? Check out how we made a $3B health system mature and secure.