Why cybersecurity should factor into every health and safety plan
If you’ve been following the news, chances are you’ve heard about several major data breaches.
Being a tech company, Donesafe has always kept data security top of mind. However, being in the
business of health and safety, we’ve also noticed how little emphasis the traditional health and
safety framework places on cybersecurity. The hope is that the constant news of security breaches
will animate business leaders and board members to start considering cybersecurity as a vital
feature of the safety landscape. A quick overview of current attitudes and practices shows that there
is much work to be done on this front.
The recent highly publicized cases of ransomware attacks had a resounding effect on critical information infrastructures worldwide, including hospitals. Cybersecurity experts had been warning about this danger for a while now, so it’s surprising to learn that as a rule, cybersecurity usually is not tied in with health and safety.
The Occupational Safety and Health division of the International Labor Organization does not list
cybersecurity as one of its focus areas and has remained largely committed to occupational health
and safety issues such as improving working conditions and expanding worker protections. While
those areas are crucial to its mission and deserve focus, there is little doubt that data safety has
become an issue of global concern that affects the safety and integrity of working environments
worldwide. Articulating this not only as an IT concern but also as a workplace safety concern is the
first step toward tackling the problem from all necessary angles.
The specialized technical nature required to deal with data security might be the reason it has
often been relegated to data experts. The lack of attention to cybersecurity as safety might also be
due to the perception that cybersecurity risks are an external threat, whereas health and safety are
often internally managed. This assumption is a direct threat to safety, because for a long time
now, cyber threats have been exploiting internal vulnerabilities–think fewer virus attacks and more
insidious email scams. This variety of vulnerabilities means cybersecurity is resistant to being neatly
managed by a single specialized department. The technical nature of maintaining and addressing
security runs up against the fact that employees of various positions and skill levels have the
potential to directly affect their organization’s data security.
Another reason that cybersecurity has not been given the necessary attention is cost. Investing in
cybersecurity is expensive both in terms of network security and employee training, but the
consequences of ignoring it are far more drastic. Recent attacks have shown that the healthcare
industry is especially vulnerable to cyberattacks, which is, of course, concerning due to the
confidential information found in personal health records. These records are targeted for their high
value; a study found that a complete health record can be sold for as much as USD 40 or roughly
AUD 54 as of this writing
While the cost of patching up a data breach will vary by company size and the scope of the attack, a recent IBM study found that the average cost has now increased to $4 million USD. This sum includes both indirect costs (such as brand damage and customer attrition) and direct costs (hiring experts, paying fees, and covering identity monitoring services for victims).
Addressing cybersecurity as health and safety
Aligning cybersecurity with safety might be one of the clearest ways of instilling a culture of
cybersecurity into an organization. Although safety behaviors related to accident prevention are
pretty commonplace nowadays, it hasn’t always been this way. The same strategies and
commitments used to promote an organizational culture of safety are transferrable to the
cybersecurity arena. These include a top-down initiative from the highest levels of management and
the integration of cybersecurity into the safety protocols and training across a company’s
departments. In health and safety management, commitment at the managerial level has been
correlated to risk reduction at the operational level, and it’s worth assuming that this top-down
approach would hold up in promoting cybersecurity as well.
Formal leadership sets the tone for the organization’s policy, but the strategy must have employee buy-in to succeed. Technological solutions such as firewalls and antivirus software are necessary but hardly enough. A cyber-attacker already assumes that each company is equipped with some level of safeguard, so arguably, the true firewall is a culture of cyber safety that permeates an entire organization.
Social engineering and phishing schemes have become a preferred tactic for cybercriminals, and every cybersecurity policy should be strategically positioned to address these kinds of threats.
Common social engineering and phishing tactics include emails appearing to be from a legitimate
sender, that trick the recipient into clicking on a link and entering sensitive information such as
passwords or account numbers. Since the scam targets individual employees rather than the
company IT infrastructure, it’s clear that antivirus and firewalls (while an essential part of overall
security) will do little to protect against it. The best safeguard is a cyber security-savvy culture from
the highest levels of leadership down to each individual contributor.
Cyber threats are all the more concerning because up until they turn into a major incident, they are
somewhat intangible threats; the warning signs are limited or non-existent. Of course, this is a
dangerous illusion, given the distressing and costly consequences of a cyberattack. Fortunately,
there are some indicators that attitudes may be shifting. In a series of surveys over the past few
years, Deloitte concluded that cybersecurity is increasingly becoming evaluated as a component of
overall security. They recommend a few different strategies for making the threat more tangible.
Here are two of their suggestions that really stood out to us:
- Have an IT professional perform an audit to demonstrate security vulnerabilities
- Simulate a cyber incident–much like you would a fire drill or an emergency response training
Realistic simulations can offer a concrete idea of where the vulnerabilities lie, even down to the individual device. If possible, senior staff may choose to address these concerns with individual employees whose devices appear to have important security flaws.
Nearly 40% of breaches are internal, so training employees on how to improve their individual security practices can go a long way in reducing risk. A 2015 study from the University of Alabama at Birmingham showed that 75% of employers view employee negligence as the single greatest threat and highlighted the outsize role that “human error” plays in security incidents.
(On this if you like Podcasts, I highly recommend the episode: ‘What Kind of Idiot Gets Phished’ from Reply All of Gimlet media where one host decides to test who in their organization would fall for a Phishing scam. The results were hilarious and a little scary.)
One of the largest risks, on the individual level, is the cross between confidential documents or
company networks, and personal devices. Out of convenience, many employees connect their
personal devices to their company’s network. If the user of the device is not security savvy (but
sometimes even if they are), this can become an obvious gateway for cybercriminals. The same UAB
study from above also showed that three-quarters of employees have uploaded work files to lesssecure personal cloud accounts. The ‘bring your own device’ (BYOD) culture at work is very obviously
the future and it’s something that we at Donesafe rely on, but with good training, the risks of this
can easily be significantly lessened.
Insecure passwords pose another threat–if you’re still using 123456 or the word password, we’re looking at you. Avoid passwords that are weak and easy to guess. Yes, those periodic reminder prompts to change your password always pop up at the worst possible moment, but you shouldn’t ignore them.
Last, but definitely not least, safe email practices are arguably the best defense against the majority
of threats. Simply teaching employees how to recognize questionable emails can go a long way
towards preventing unauthorized intrusions, and the return on investment on this little step can be
massive. Travellers Insurance recommends training employees to only open email if it:
- Comes from someone they know
- Comes from someone they have received mail from before
- Is something they were expecting
- Does not look odd with unusual spellings or characters
- Passes your anti-virus program test
Cybersecurity should be tied to health and safety in a way that emphasizes cybersecurity risk as a
component of overall risk. Prolonging the separation of these two departments only heightens the
risks associated with increased global connectivity and short-circuits the potential to address
incidents swiftly when they arise. The framework of successful workplace health and safety
initiatives–top-down leadership and employee buy-in–can serve as an instructive model on how to
take on this challenge.
By Aja Cacan at donesafe.com
For a paperless, jargon-free business safety solution that you can manage from your phone, click here to get in contact and ask about how you can try Donesafe for FREE or visit our features page to find out more.