The majority of participants in GovLoop’s online training, Cybersecurity for Public Health – A Cyber War Game, said they weren’t sure if their organization is prepared for a cyber breach. And according to speakers Mike Hager, the Senior Security Architect for Teradata and Sam Harris, the Director of Cybersecurity for Teradata, your organization probably isn’t.
The Teradata experts used a hospital as an example as they followed the progression of a breach. Hager emphasized four vital questions throughout the training:
- What is “it” that needs to be protected?
- Where is “it”?
- How do I have to protect “it”?
- Who has access to “it”?
Management must ask these questions in order to prepare for any attack. Additionally, these attacks often come from where you least expect it.
Hager explains, “We’ve looked at keeping the bad guys out of our networks and we’ve found out that is almost an impossible task.” Therefore, it is necessary for security teams to focus less on minimal compliance and work harder to develop risk assessment strategies.
To help management understand where their organization is lacking, Hager highlighted his top ten management mistakes:
10. Malicious compliance – checking boxes instead of real risk identification and management. Hospitals think they are safe because they check all the “boxes” of different regulations such as HIPA. However, with multiple avenues to reach the information, there can be breaches at any level even with checking all the “boxes”.
9. Not knowing what data really requires protection. Hager says that hospitals rarely know how to answer his first question: What is “it” that they need to protect?
8. Not understanding where the critical data and systems reside within the network. This goes back to Hager’s second question.
7. Not developing minimum protection requirements for all levels of sensitive data and protection devices. On the other side, Hager explains that overprotection can also be just as bad. Organizations must find a balance.
6. Not knowing who has access to all sensitive data and systems. This goes back to Hager’s fourth question. If you don’t know who has access to your data then you don’t know if someone is accessing it that shouldn’t be.
5. Believing security is an important issue, but that is important for someone else to handle.
4. Pretending the problem will go away if they simply ignore it.
3. Using technology as a fix and not a solution.
2. Failing to realize the value of their information and organizational reputations. The continued electrification of records has increased the risk for patients. Harris says, “Medical records are far more valuable than any piece of data.” Medical records sell for $40 on the black market while credit card information only sells for $1.
And drum roll please. Hager’s number one mistake is…
1. Believing “it” will never happen to them! Hager often asks hospital management if they know what the value of the hospital’s information is. He says that in most cases he receives a “deer in the headlights” look back from management.
It is crucial to know the value of your data and take all necessary steps to protect it. Because “it” could happen to you.
To learn more about how to handle a cyber breach, listen on-demand here! Also, be sure to look out for our second recap blog that will dive deeper into the online training.