Rebecca L. Rakoski, managing partner at XPAN Law Partners and Sajed Naseem, Chief Information Security Officer (CISO) from NJ Courts recently presented the webinar “ Stop the Insanity! Why Healthcare Organizations Need to Take a New Approach to Cybersecurity & Data Privacy Training .” Rebecca and Saj returned to answer many commonly asked questions from the webinar.
Nearly every regulation or standard requires training, why is it so important?
As we have seen repeatedly, cybersecurity goes beyond just a tech issue, it is really a “people” issue. Employees are undoubtedly an organization’s greatest asset but can be its biggest liability because cyber criminals only really need 1 employee to make a mistake. This can take the form of clicking on a bad link in a spear phishing email, transferring money to a fraudulent account, or inadvertently downloading a virus from the internet. Employees are by their very standing in a company on the front line of our cyberwar against hackers. Accordingly, the Biden Administration has acknowledged the growing threat to both the public and private sphere. In fact, the White House has warned business leaders to “step up” measures to protect against ransomware attacks. The reason for such a warning has been the significant increase in ransomware incidents that have literally leapt out of cyberspace and had a disruptive impact on American’s daily lives (i.e., increased gas prices, violations of consumer privacy, and illegal appropriation of proprietary information). For a while now, cybersecurity experts have known that true data security is not a simple problem to solve, and surely not a purely technological one, but one that is layered and interdependent on the strength of the defenses around it. Therefore nearly every regulation and standard require training and where the starting point of implementing a strong security and program really begins.
How do companies train now and are those efforts effective?
It is all too clear that current approaches to cybersecurity training is not effective nor is it working for the simple reason it is not being done well. Daily we are bombarded by news of data breaches lacking any sort of context but generalized to include human error as the cause even though many organizations have for the most part yearly cybersecurity training. Companies implement a broad range of techniques to gauge whether employees will click a bad link – one being phishing campaigns. Unfortunately, this type of research only gives the organization a partial picture and a hazy one at that. Typically, it shows that an employee clicked, but it does not answer the revealing question of why the employee clicked. Click rates are tools after all but not the whole toolbox. Organizations need to understand the why to prevent it from happening. To solve this problem, organizations need to start by doing two critical things: (i) employees need to be able to “recognize” risks and “respond” appropriately, and (ii) employers need to teach them “how” by raising their situational awareness and keeping it top of mind. In the current security awareness environment, training programs largely fail because they lose the human component to training and rely too heavily on video training that often fails to engage the employees in the actual training. Frequently, employees see this type of training as something they must do, or a box they have to check for their employer. It is therefore common for organizations that are hacked to have “trained” their employees but to have failed to create a strong practical and effective cybersecurity and data privacy program. When it comes to training, results are key indicators of efficacy. The proof at the end of the day is in the pudding.
Why is quantification so important?
In light of this significant and growing issue facing business today, a new face for cybersecurity awareness needs to be measured, resolved, and/or mitigated in order to continue to provide justice, secure assets, minimize liabilities, and increase positive growth. Privacy and security programs need to incorporate security awareness that needs to be quantified to ensure employees are informed and aware of security risks. This protects both themselves as well as an organization’s assets. So, when it comes to adding value to an organization using a security awareness program, it is necessary to have a set of methods to both study and measure its effect. Properly defined analytics and the rise of artificial intelligence make spotting potential insider threats easier and less intrusive. Measuring elements like Knowledge, Attitude, and Behavior (“KAB”) can provide both quantitative and qualitative insights into an employee’s cyber awareness. The knowledge component entails core requirements which an individual employee either knows or does not know. Conversely, tailored behavioral analyses take defined analytics a step higher by allowing for the revelation of underlying attitudes and the situational actions that one takes in response to denied stimuli. This is where Implicit Association Testing (IAT) has proven to be a valuable tool to reveal hidden or subconscious biases in attitude. Combined with objective situational assessments that include a time component, it provides powerful insight into an individual’s response to various cyber threats. In sum, binding these factors together is what leads to better predictive models of degrees of cyber vulnerability. CISO’s that employ this in their organization can in turn use this information to develop custom training programs tailored to employees’ particular environment and job responsibilities, thereby creating an effective cyber awareness program that significantly improves its odds of preventing a cyber-incident.
Are you just talking about more training?
Businesses thrive not by doing things more frequently but to, in fact, do it better. The prevailing thought for years now has been to employ poorly designed and generalized applications of cybersecurity training with minimal consideration of what actually works and inevitably leading organizations to still get hacked. So, this begs the question – why do we keep attempting to manage a square peg in a round hole but expecting a distinctly different outcome? Measuring an employee’s KAB toward cyber security will allow an organization to go beyond a simple click rate survey and instead understand “why“ the employee is still clicking. Using this metric, an employee’s training can be better tailored using the KAB to increase both the effectiveness and value of that training. Ultimately, tailoring a program to an individual employee based on their unique metric and organizational directive in the company infrastructure will dictate the degree of success and advantage a security and privacy program can bring to an organization. As a parallel example, science is now working on creating pharmaceuticals and different therapeutic treatments specifically tailored to an individual’s DNA sequence. Based on research to this point, this type of tailored treatment has shown to be more effective and efficient because it is particular to that individual and thus reducing unwanted and unforeseen consequences. Same principle applies here. A KAB score does the same thing for cybersecurity by increasing the benefits of a security and privacy program through tailored analytical consideration to better understand and then train the organization’s most important, but often highly unpredictable, variables – its employees.
Rebecca L. Rakoski is the managing partner at XPAN Law Partners. Rebecca counsels and defends public and private corporations, and their boards, during data breaches and responds to state-federal regulatory compliance and enforcement actions. As an experienced litigator, Rebecca has handled hundreds of matters in state and federal courts. Rebecca skillfully manages the intersection of state, federal, and international regulations that affect the transfer, storage, and collection of data to aggressively mitigate her client’s litigation risks.
Rebecca serves on the New Jersey State Bar Association’s Cyber Task Force. Rebecca is ViceChair Elect for the New Jersey State Bar Association’s Bankruptcy Law Section and also served on the Complex Business Litigation Committee that drafted and revised the Court Rules involving electronic discovery in complex litigation matters. Rebecca has been appointed in several litigation matters by the New Jersey Superior Court as a Discovery Special Master.
Rebecca is on the Board of Governors for Temple University Health Systems, and an adjunct professor at Drexel University’s Thomas R. Kline School of Law and Rowan University.
Sajed Naseem (“Saj”), is the Chief Information Security Officer (CISO) of New Jersey Courts. Sajed has over twenty years of experience with information security and information technology across many industries. As the Chief Information Security Officer (“CISO”) of the New Jersey Courts, Sajed has focused on Cybersecurity Readiness & Performance, Information Governance, and Network Security. Sajed holds Masters degrees from St. John’s University and Columbia University. Sajed routinely speaks at Cybersecurity conferences nationally, Europe and with the New Jersey Bar Association. Sajed is also an Adjunct Professor at St. John’s University in Information Security since 2010 and a native of New York City.
Be sure to view a recording of this webinar here and don’t miss our many other expert webinars, podcasts, and blogs with our presenters here. Take a look at our book: HIPAA Privacy and Security , and our online compliance training courses such as What is HIPAA? , and HIPAA Business Associate Agreements Under HITECH .