If you’ve been following the news, chances are you’ve heard about several major data breaches. Being a tech company, Donesafe has always kept data security top of mind. However, being in the business of health and safety, we’ve also noticed how little emphasis the traditional health and safety framework places on cybersecurity. The hope is that the constant news of security breaches will animate business leaders and board members to start considering cybersecurity a vital feature of the safety landscape. A quick overview of current attitudes and practices shows that there is much work to be done on this front.
The recent highly publicized cases of ransomware attacks had a resounding effect on critical information infrastructures worldwide, including hospitals. Cybersecurity experts had been warning about this danger for a while now, so it’s surprising to learn that as a rule, cybersecurity usually is not tied in with health and safety.
The Occupational Safety and Health division of the International Labour Organization does not list cybersecurity as one of its focus areas, and has remained largely committed to occupational health and safety issues such as improving working conditions and expanding worker protections. While those areas are crucial to its mission and deserve focus, there is little doubt that data safety has become an issue of global concern that affects the safety and integrity of working environments worldwide. Articulating this not only as an IT concern, but as a work safety concern, is the first step towards tackling the problem from all necessary angles.
The specialised technical nature required to deal with data security might be the reason it has often been relegated to data experts. The lack of attention to cybersecurity as safety might also be due to the perception that cybersecurity risks are an external threat, whereas health and safety is often internally managed. This assumption is a direct threat to safety, because for a long time now cyberthreats have been exploiting internal vulnerabilities–think less virus attacks, and more insidious email scams. This variety of vulnerabilities means cybersecurity is resistant to being neatly managed by a single specialized department. The technical nature of maintaining and addressing security runs up against the fact that employees of various positions and skill levels have the potential to directly affect their organisation’s data security.
Another reason that cybersecurity has not been given the necessary attention is cost. Investing in cybersecurity is expensive both in terms of network security and employee training, but the consequences of ignoring it are far more drastic. Recent attacks have shown that the healthcare industry is especially vulnerable to cyberattacks, which is of course concerning due to the confidential information found in personal health records. These records are targeted for their high value: a study found that a complete health record can be sold for as much as $40 USD or roughly $54 AUD as of this writing.
While the cost of patching up a data breach will vary by company size and the scope of the attack, a recent IBM study found that the average cost has now increased to $4 million USD. This sum includes both indirect costs (such as brand damage and customer attrition) and direct costs (hiring experts, paying fees, and covering identity monitoring services for victims).
Aligning cybersecurity with safety might be one of the clearest ways to instil a culture of cybersecurity into an organisation. Although safety behaviours related to accident prevention are pretty commonplace nowadays, it hasn’t always been this way. The same strategies and commitments used to promote an organisational culture of safety are transferrable to the cybersecurity arena. These include a top-down initiative from the highest levels of management and the integration of cybersecurity into the safety protocols and training across a company’s departments. In health and safety management, commitment at the managerial level has been correlated to risk reduction at the operational level, and its worth assuming that this top-down approach would hold up in promoting cybersecurity as well.
Formal leadership sets the tone for the organisation’s policy, but the strategy must have employee buy-in to succeed. Technological solutions such as firewalls and antivirus software are necessary but hardly enough. A cyberattacker already assumes that each company is equipped with some level of safeguard, so arguably the true firewall is a culture of cyber safety that permeates an entire organisation.
Social engineering and phishing schemes have become a preferred tactic for cybercriminals, and every organisational cybersecurity policy should be strategically positioned to address these kinds of threats. Common social engineering and phishing tactics include emails appearing to be from a legitimate sender that trick the recipient into clicking on a link and entering sensitive information like passwords or account numbers. Since the scam targets individual employees rather than the company IT infrastructure, it’s clear that antivirus and firewalls (while an essential part of overall security) will do little to protect against it. The best safeguard is a cybersecurity-savvy culture from the highest levels of leadership down to each individual contributor.
Cyber threats are all the more concerning because up until they turn into a major incident, they are somewhat intangible threats: the warning signs are limited or nonexistent. Of course this is a dangerous illusion, given the distressing and costly consequences of a cyberattack. Fortunately, there are some indicators that attitudes may be shifting. In a series of surveys over the past few years, Deloitte concluded that cybersecurity is increasingly becoming evaluated as a component of overall security. They recommend a few different strategies for making the threat more tangible. Here are two of their suggestions that really stood out to us:
Realistic simulations can offer a concrete idea of where the vulnerabilities lie, even down to the individual device. If possible, senior staff may choose to address these concerns with individual employees whose devices appear to have important security flaws.
Nearly 40% of breaches are internal, so training employees on how to improve their individual security practices can go a long way in reducing risk. A 2015 study from the University of Alabama at Birmingham showed that 75% of employers view employee negligence as the single greatest threat and highlighted the outsize role that “human error” plays in security incidents.
(On this if you like Podcasts, I highly recommend the episode: ‘What Kind of Idiot Gets Phished’ from Reply All of Gimlet media where one host decides to test who in their organisation would fall for a Phishing scam. The results were hilarious and a little scary.)
One of the largest risks on the individual level is the cross between confidential documents or company networks and personal devices. Out of convenience, many employees connect their personal devices to their company’s network. If the user of the device is not security savvy (but sometimes even if they are), this can become an obvious gateway for cybercriminals. The same UAB study from above also showed that three quarters of employees have uploaded work files to less-secure personal cloud accounts.The ‘bring your own device’ (BYOD) culture at work is very obviously the future and it’s something that we at Donesafe rely on, but with good training the risks of this can easily be significantly lessened.
Insecure passwords pose another threat–if you’re still using 123456 or the word password, we’re looking at you. Avoid passwords that are weak and easy to guess. Yes, those periodic reminder prompts to change your password always pop up at the worst possible moment, but you shouldn’t ignore them.
Last but definitely not least, safe email practices are arguably the best defence against the majority of threats. Simply teaching employees how to recognise questionable emails can go a long way in preventing unauthorised intrusions, and the return on investment on this little step can be massive. Travellers Insurance recommends training employees to only open email if it:
Cybersecurity should be tied to health and safety in a way that emphasises cybersecurity risk as a component of overall risk. Prolonging the separation of these two departments only heightens the risks associated with increased global connectivity and short-circuits the potential to address incidents swiftly when they arise. The framework of successful workplace health and safety initiatives–top-down leadership and employee buy-in–can serve as an instructive model on how to take on this challenge.
By Aja Cacan at Donesafe.com
For a paperless, jargon-free business safety solution that you can manage from your phone, click here to get in contact and ask about how you can try Donesafe for FREE or visit our features page to find out more.